About a month ago, Opera Software, a Norwegian browser maker, provided fixes to their browser that was vulnerable to some extremely severe weaknesses. The Opera Software makers made available Opera 9.61 which corrected an issue with their History Search. Such history searches could be used to reveal the history of site visits. Other bugs fixed were the Fast Forward bug was a stored cross site scripting (XSS) vulnerability and an information disclosure bug in news feeds.

After correcting these bugs Opera Software discovered another vulnerability deemed more serious than the History Search bug and surprisingly based on the same weakness. This new zero-day bug exposed Windows systems to remote code execution attacks.

I talked about an RPC bug in a previous post which allowed hackers to remotely run arbitrary  code on a user’s machine. This bug, as of last month, manifested itself on the Opera browser such that whenever a user viewed an infected web page with Opera they would now be vulnerable to having malicious code run on their system without their knowledge.

You think that you’re safe when all you do is view a web site. Viewing a web page should be the equivalent of opening a document in read only mode. What harm can be done by that? Now we have another exposure.

The attack also works on other operating systems such as Linux and OS X.

I thought Opera did a pretty good job in providing an update (http://www.opera.com/docs/changelogs/windows/962/) farily quickly that fixed the problem.

The vulnerability came about as a proof of concept attack and was jointly discovered by researchers Roberto Suggi and Stefano Di Paola. Di Paola and Raff had discussed Opera’s browser history vulnerability and how that might further be exploited. As a test, they created their own proof of concept attack which launched a PC’s calculator.

Other browsers are also vulnerable to such attacks. Hackers could exploit an FTP client’s XSS design and allow attackers to execute similar malicious code unbeknownst to the user all under the guise of an FTP session.