Operating System:

[WIN][UNIX/Linux]

Published:

20 June 2012

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ASB-2012.0090 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0090
      Multiple vulnerabilities have been fixed in Opera 11.65 and 12
                               20 June 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Opera
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-3560 CVE-2012-3558 CVE-2012-3557
                      CVE-2012-3556 CVE-2012-3555 
Member content until: Friday, July 20 2012

OVERVIEW

        Multiple vulnerabilities have been fixed in Opera 11.65 and 12.


IMPACT

        The vendor has provided the following information:
        
        CVE-2012-3555:
        "When a user is interacting with a window, that window should be
        visible to the user, to ensure that the user realizes it is there. If
        a page is displayed in a small enough window, the user may not realize
        it is being displayed, and if the right keyboard sequence is carefully
        followed, they can end up performing undesirable actions on that page.
        Similar attacks could also be used against Opera's preferences to
        change preferences or select executables to be run by Opera. Additional
        social engineering steps are needed to ensure that the user presses the
        correct key sequence, without being able to show any relevant visual
        feedback, as the page cannot see that the keys are being pressed." [1]
        
        CVE-2012-3556:
        "When a user double clicks on a page, they may expect the two clicks to
        target the same object. If a page uses the first click to open a pop-up
        window in a predictable location, the second click may focus parts of
        the new window, such as its address field. If the page can then
        convince the user to activate a scripted URL seeded in the address
        field, on a newly loaded target page within the pop-up, it can allow
        cross site scripting against the target page. Similar attacks could
        also be used against Opera's preferences to change preferences or
        select executables to be run by Opera. Non-trivial social engineering
        would be required to ensure that the user followed the desired sequence
        of clicks and keypresses, at precisely the right speed, while ignoring
        the opening and loading of pages within the pop-up." [2]
        
        CVE-2012-3557:
        "JSON strings are sometimes exported by sites as a resource that cannot
        be read cross-domain, and may contain confidential data. The format of
        a JSON string ensures that it cannot be read as the contents of a
        variable, if it is included as a normal script. In some cases, Opera
        does not correctly impose this restriction, and allows pages to load a
        cross-domain JSON resource, and read some of its contents as JavaScript
        variables, exposing the data contained in the JSON." [3]
        
        CVE-2012-3558:
        "The address field should always show the address of the page that is
        being displayed. Certain types of navigation, combined with reloads and
        redirects to a slowly-responding target site can cause the address
        field to show the target site's address, while the attacking site is
        still being displayed." [4]
        
        CVE-2012-3560:
        "When a user types a new URL for the browser to load, the currently
        active page may detect when the new page is about to load and prevent
        the navigation, while still leaving the new URL displayed in the
        address bar. This can then be used to spoof the URL of the target page.
        The malicious page would need to employ social engineering tactics in
        order to guess what page the user is likely to try to load next, as it
        cannot see what URL the user has typed."[5]


MITIGATION

        Users should upgrade to Opera version 11.65 or 12.[1][2][3][4][5]


REFERENCES

        [1] Hidden keyboard navigation can allow cross site scripting or code
            execution
            http://www.opera.com/support/kb/view/1021/

        [2] A combination of clicks and key presses can lead to cross site
            scripting or code execution
            http://www.opera.com/support/kb/view/1020/

        [3] Cross-domain JSON resources may be exposed as JavaScript variable
            data
            http://www.opera.com/support/kb/view/1019/

        [4] Carefully timed reloads, redirects, and navigation can spoof the
            address field
            http://www.opera.com/support/kb/view/1018/

        [5] Pages can prevent navigation to a target page, spoofing the address
            field
            http://www.opera.com/support/kb/view/1022/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT+EaMu4yVqjM2NGpAQIF5RAAir8Sx5JNvlJiXgriYqMJgxf36vXnNodD
rOiUlB0F+c3UulgJm5lNR0j4ioBfrFvOvkkMw3f6BX76ADRHKtHjSW6u+KAFA31n
wAd8eeNkYbi4DbIwmBRVJbjQxE1av1pftFYFsMykZ2SkQGp23qM1VXDcELscdj1V
138NvrYqx9TIldMeZ7dzVHbb2XCFU5Xih93an4P1JI/YVM//r/H5T34zaXlHFL+z
1IW+2Z2+ah6/JblaWwCK0wSqOuQhlYnpF3turCjHbJYbFdzQwPcHZfITUM9Ie+dr
Fpec8+scyoZXxT+JkP38J8XeCtm9VeKUVH8WdrhIlxaoKfVcSJ8g/Z2O4O52i0w0
fpqUnx/HKlvz/cth2UkvBHoaWPyovEB1a7pzepUfnTmGLQBM+F6oc6NAsRaB0n8D
3MACA98dfJVqbqCaXQ82unxounWwxyG4rt0efXiLHskLtZPX175LrBg2zW1fN035
vrJB0vrSMk/lgL5NIlMWpredN+QzkMePW+eJRHsGbiG9sT5XV2qofuFL5lQRCjS6
I5+4JtLe9TcOE5VQddkE3DvLvNw9eB9Mt0WvTnlGPk7LFAN354NtRcKDbsjg8ihg
BUnGojBLlMPSaPWHmG9SVCj68qoJ9B5BtbmqQER3yGGeet2BtkHRkkp57jwc4IRZ
AM0Ds03dsbY=
=DIP1
-----END PGP SIGNATURE-----