Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0090 Multiple vulnerabilities have been fixed in Opera 11.65 and 12 20 June 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Opera Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-3560 CVE-2012-3558 CVE-2012-3557 CVE-2012-3556 CVE-2012-3555 Member content until: Friday, July 20 2012 OVERVIEW Multiple vulnerabilities have been fixed in Opera 11.65 and 12. IMPACT The vendor has provided the following information: CVE-2012-3555: "When a user is interacting with a window, that window should be visible to the user, to ensure that the user realizes it is there. If a page is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end up performing undesirable actions on that page. Similar attacks could also be used against Opera's preferences to change preferences or select executables to be run by Opera. Additional social engineering steps are needed to ensure that the user presses the correct key sequence, without being able to show any relevant visual feedback, as the page cannot see that the keys are being pressed." [1] CVE-2012-3556: "When a user double clicks on a page, they may expect the two clicks to target the same object. If a page uses the first click to open a pop-up window in a predictable location, the second click may focus parts of the new window, such as its address field. If the page can then convince the user to activate a scripted URL seeded in the address field, on a newly loaded target page within the pop-up, it can allow cross site scripting against the target page. Similar attacks could also be used against Opera's preferences to change preferences or select executables to be run by Opera. Non-trivial social engineering would be required to ensure that the user followed the desired sequence of clicks and keypresses, at precisely the right speed, while ignoring the opening and loading of pages within the pop-up." [2] CVE-2012-3557: "JSON strings are sometimes exported by sites as a resource that cannot be read cross-domain, and may contain confidential data. The format of a JSON string ensures that it cannot be read as the contents of a variable, if it is included as a normal script. In some cases, Opera does not correctly impose this restriction, and allows pages to load a cross-domain JSON resource, and read some of its contents as JavaScript variables, exposing the data contained in the JSON." [3] CVE-2012-3558: "The address field should always show the address of the page that is being displayed. Certain types of navigation, combined with reloads and redirects to a slowly-responding target site can cause the address field to show the target site's address, while the attacking site is still being displayed." [4] CVE-2012-3560: "When a user types a new URL for the browser to load, the currently active page may detect when the new page is about to load and prevent the navigation, while still leaving the new URL displayed in the address bar. This can then be used to spoof the URL of the target page. The malicious page would need to employ social engineering tactics in order to guess what page the user is likely to try to load next, as it cannot see what URL the user has typed."[5] MITIGATION Users should upgrade to Opera version 11.65 or 12.[1][2][3][4][5] REFERENCES [1] Hidden keyboard navigation can allow cross site scripting or code execution http://www.opera.com/support/kb/view/1021/ [2] A combination of clicks and key presses can lead to cross site scripting or code execution http://www.opera.com/support/kb/view/1020/ [3] Cross-domain JSON resources may be exposed as JavaScript variable data http://www.opera.com/support/kb/view/1019/ [4] Carefully timed reloads, redirects, and navigation can spoof the address field http://www.opera.com/support/kb/view/1018/ [5] Pages can prevent navigation to a target page, spoofing the address field http://www.opera.com/support/kb/view/1022/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT+EaMu4yVqjM2NGpAQIF5RAAir8Sx5JNvlJiXgriYqMJgxf36vXnNodD rOiUlB0F+c3UulgJm5lNR0j4ioBfrFvOvkkMw3f6BX76ADRHKtHjSW6u+KAFA31n wAd8eeNkYbi4DbIwmBRVJbjQxE1av1pftFYFsMykZ2SkQGp23qM1VXDcELscdj1V 138NvrYqx9TIldMeZ7dzVHbb2XCFU5Xih93an4P1JI/YVM//r/H5T34zaXlHFL+z 1IW+2Z2+ah6/JblaWwCK0wSqOuQhlYnpF3turCjHbJYbFdzQwPcHZfITUM9Ie+dr Fpec8+scyoZXxT+JkP38J8XeCtm9VeKUVH8WdrhIlxaoKfVcSJ8g/Z2O4O52i0w0 fpqUnx/HKlvz/cth2UkvBHoaWPyovEB1a7pzepUfnTmGLQBM+F6oc6NAsRaB0n8D 3MACA98dfJVqbqCaXQ82unxounWwxyG4rt0efXiLHskLtZPX175LrBg2zW1fN035 vrJB0vrSMk/lgL5NIlMWpredN+QzkMePW+eJRHsGbiG9sT5XV2qofuFL5lQRCjS6 I5+4JtLe9TcOE5VQddkE3DvLvNw9eB9Mt0WvTnlGPk7LFAN354NtRcKDbsjg8ihg BUnGojBLlMPSaPWHmG9SVCj68qoJ9B5BtbmqQER3yGGeet2BtkHRkkp57jwc4IRZ AM0Ds03dsbY= =DIP1 -----END PGP SIGNATURE-----