Opera to Patch Browser Vulnerability Soon

Opera Software will soon patch a vulnerability in its Web browser that could allow an attacker to run malicious software on a Windows computer.

The problem affects Opera browser version 10.50 running on Windows and possibly others, according to an advisory from Danish security company Secunia said.

Opera said two Windows security features -- Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) -- can make it more difficult to compromise a computer.

"If these two Windows security features are enabled, the probability of carrying through a successful attack becomes much smaller than it already was," Opera said.

The company said it is testing a fix and will release the update soon. In the meantime, if users encounters a Web site that crashes the browser, they should not go back to that site.

Developing the fix took time because of some initial confusion about the problem.

Opera said it was informed of the vulnerability on March 4, a few days after it released the 10.50 version of the browser.

Secunia alerted Opera to the issue, which initially appeared not to be remotely exploitable and just caused the browser to crash, but later told Opera that the memory corruption problem could lead to a more dangerous scenario.

"Secunia did provide us with an example that would cause a random crash, showing that it was at least possible to provoke possible code execution later," Opera said. But "we think it is unlikely that this can be done in a predictable fashion."

The vulnerability was erroneously reported as a zero-day attack on at least one other security Web site, "which is misleading as no working exploit has been published nor is the vulnerability being actively exploited," according to Carsten Eiram, chief security specialist for Secunia, writing on the company's blog.

"Instead, it was an uncoordinated (commonly termed: 'irresponsible') disclosure as the vulnerability report was published without the reporter first informing the vendor," Eiram wrote. "Adding to the confusion, Opera Software's initial analysis of the vulnerability concluded that it was not a vulnerability and this was communicated on the Opera Software forum and to the media."

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon