Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Confusion about Opera vulnerability

Get this blog as an RSS Feed
There has lately been some confusion about a vulnerability reported in the Opera browser and rightly so based on the different statements having been issued.
16:55 CET on the 8th March 2010
Entry written by Carsten Eiram.

There has lately been some confusion about a vulnerability reported in the Opera browser and rightly so based on the different statements having been issued.

The vulnerability was reported as an integer overflow when processing the "Content-Length" header and accompanied by a PoC that always crashed when copying memory due to an overly large size. Based on the provided PoC and report, it immediately seemed like the crash would always occur and executing code would not be possible.

Before issuing a Secunia advisory, a security specialist was tasked with thoroughly analysing the vulnerability report, cause of the crash, and potential impact. It turned out that the vulnerability is not caused by an integer overflow error. Instead, in certain cases when a 64-bit "Content-Length" value is interpreted as negative, the higher 32-bit value is ignored and lower 32-bit value is used to copy data. It is, therefore, possible to manipulate the size value in a manner to successfully corrupt memory and occasionally cause conditions where it is possible to gain control of the execution flow.

At least one other site did, as usual, abuse the opportunity to hype the vulnerability and refer to it as a 0-day, which is misleading as no working exploit has been published nor is the vulnerability being actively exploited. Instead, it was an uncoordinated (commonly termed: "irresponsible") disclosure as the vulnerability report was published without the reporter first informing the vendor.

Adding to the confusion, Opera Software's initial analysis of the vulnerability concluded that it was not a vulnerability and this was communicated on the Opera Software forum and to the media. Opera Software also contacted Secunia, asking us to update our advisory or alternatively that we provide them with additional information.

During the past days, we have, therefore, been working with Opera Software and providing them with details to clarify that the threat is not just a crash, but has code execution potential. Opera Software has acknowledged to us that they are now handling it as a security issue and will be issuing an advisory and fix as soon as possible.

Stay Secure,

Carsten Eiram
Chief Security Specialist

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Confusion about Opera vulnerability
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability