Hash: SHA1

                         AUSCERT Security Bulletin

      Multiple vulnerabilities have been fixed in Opera 11.65 and 12
                               20 June 2012


        AusCERT Security Bulletin Summary

Product:              Opera
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-3560 CVE-2012-3558 CVE-2012-3557
                      CVE-2012-3556 CVE-2012-3555 
Member content until: Friday, July 20 2012


        Multiple vulnerabilities have been fixed in Opera 11.65 and 12.


        The vendor has provided the following information:
        "When a user is interacting with a window, that window should be
        visible to the user, to ensure that the user realizes it is there. If
        a page is displayed in a small enough window, the user may not realize
        it is being displayed, and if the right keyboard sequence is carefully
        followed, they can end up performing undesirable actions on that page.
        Similar attacks could also be used against Opera's preferences to
        change preferences or select executables to be run by Opera. Additional
        social engineering steps are needed to ensure that the user presses the
        correct key sequence, without being able to show any relevant visual
        feedback, as the page cannot see that the keys are being pressed." [1]
        "When a user double clicks on a page, they may expect the two clicks to
        target the same object. If a page uses the first click to open a pop-up
        window in a predictable location, the second click may focus parts of
        the new window, such as its address field. If the page can then
        convince the user to activate a scripted URL seeded in the address
        field, on a newly loaded target page within the pop-up, it can allow
        cross site scripting against the target page. Similar attacks could
        also be used against Opera's preferences to change preferences or
        select executables to be run by Opera. Non-trivial social engineering
        would be required to ensure that the user followed the desired sequence
        of clicks and keypresses, at precisely the right speed, while ignoring
        the opening and loading of pages within the pop-up." [2]
        "JSON strings are sometimes exported by sites as a resource that cannot
        be read cross-domain, and may contain confidential data. The format of
        a JSON string ensures that it cannot be read as the contents of a
        variable, if it is included as a normal script. In some cases, Opera
        does not correctly impose this restriction, and allows pages to load a
        cross-domain JSON resource, and read some of its contents as JavaScript
        variables, exposing the data contained in the JSON." [3]
        "The address field should always show the address of the page that is
        being displayed. Certain types of navigation, combined with reloads and
        redirects to a slowly-responding target site can cause the address
        field to show the target site's address, while the attacking site is
        still being displayed." [4]
        "When a user types a new URL for the browser to load, the currently
        active page may detect when the new page is about to load and prevent
        the navigation, while still leaving the new URL displayed in the
        address bar. This can then be used to spoof the URL of the target page.
        The malicious page would need to employ social engineering tactics in
        order to guess what page the user is likely to try to load next, as it
        cannot see what URL the user has typed."[5]


        Users should upgrade to Opera version 11.65 or 12.[1][2][3][4][5]


        [1] Hidden keyboard navigation can allow cross site scripting or code

        [2] A combination of clicks and key presses can lead to cross site
            scripting or code execution

        [3] Cross-domain JSON resources may be exposed as JavaScript variable

        [4] Carefully timed reloads, redirects, and navigation can spoof the
            address field

        [5] Pages can prevent navigation to a target page, spoofing the address

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967