TUCoPS :: Browsers :: va2117.htm

Opera HTML parsing Code Execution
n.runs-SA-2008.010 - Opera HTML parsing Code Execution
n.runs-SA-2008.010 - Opera HTML parsing Code Execution

Hash: SHA1

n.runs AG
http://www.nruns.com/ security(at)nruns.com 
n.runs-SA-2008.010                                          16-Dec-2008

Vendor: Opera Software ASA, http://www.opera.com 
Affected Products:     Opera Browser all platforms
Vulnerability:         HTML parsing flaw lead to remote code execution
Risk:                  HIGH

Vendor communication:

2008/11/10    Initial notification to Opera including n.runs RFP and 
              n.runs PGP public key
2008/11/12    Opera response and remarks to agree in general with 
              n.runs RFP but depending on the issue the timeline for a
              fix might have to be longer than the one mentioned in
              n.runs RFP (30 days)
2008/11/12    n.runs replies and outlines following a responsible
              disclosure policy as long as Opera keep n.runs in the
              loop. n.runs send with same email a zip archive including
              two PoC files and detailed crash log analysis
2008/11/14    n.runs resends the last email with a download link for
              the PoCs because Opera's MX Server did not accept the
              enclosed encrypted zip archive
2008/11/14    Opera acknowledges the PoC files
2008/11/24    Opera communicates to n.runs that they identified the
              nature of the issue and that they are looking into a fix
2008/12/12    Opera sends n.runs a current draft of the Opera advisory
              and notifies new version is scheduled to be released
              early next week
2008/12/16    Opera releases Opera 9.63 [1]
2008/12/16    n.runs releases this advisory



Quoting http://www.opera.com/company/: 
"Opera started in 1994 as a research project within Norway's largest 
telecom company, Telenor. Within a year, it branched out to become an
independent development company named Opera Software ASA. 

Today, Opera Software develops the Opera Web browser, a high-quality,
multi-platform product for a wide range of platforms, operating systems
and embedded Internet products - including Mac, PC and Linux computers, 
mobile phones and PDAs,game consoles and other devices like the 
Nintendo Wii and DS, Sony Mylo and more. 

Opera's vision is to deliver the best Internet experience on any 
device. Opera's key business objective is to earn global leadership in
the market for PC / desktops and embedded products. Opera's main 
business strategy is to provide a browser that operates across devices,
platforms and operating systems, and can deliver a faster, more stable
and flexible Internet experience than its competitors."


A remotely exploitable vulnerability has been found in the
HTML parsing engine.

In detail, the following flaw was determined:

- - Certain HTML constructs affecting an internal heap structure. As a
result of a pointer calculation, memory may be corrupted in such a way
that an attacker could execute arbitrary code. 


An attacker could exploit the vulnerability by constructing a specially
prepared Websit. When a user views the Web page, the vulnerability
could allow remote code execution. An attacker who successfully
exploits this vulnerability could gain the same user rights as the
logged-on user. 


Opera has issued an update to correct this vulnerability.
For detailed information about the fixes follow the link in
References [1] section of this document.

n.runs AG wants to highlight the fluent communication with Opera and
its very quick response to validate and fix the issue.

Bugs found by Alexios Fakos of n.runs AG. 

http://www.opera.com/support/kb/view/921/ [1] 

This Advisory and Upcoming Advisories:

Unaltered electronic reproduction of this advisory is permitted. For 
all other reproduction or publication, in printing or otherwise, 
contact security@nruns.com for permission. Use of the advisory 
constitutes acceptance for use in an "as is" condition. All warranties
are excluded. In no event shall n.runs be liable for any damages 
whatsoever including direct, indirect, incidental, consequential loss 
of business profits or special damages, even if n.runs has been advised
of the possibility of such damages. 

Copyright 2008 n.runs AG. All rights reserved. Terms of use apply.

Version: PGP Desktop 9.8.1 (Build 2523)
Charset: us-ascii


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH