Opera released its first web browser upgrade of the year to version 12.13 for Mac OS X and other operating systems, fixing bugs mostly related to arbitrary code execution. The recommended upgrade offers security fixes and stability enhancements, along with general and User Interface (UI) fixes:
- Fixed an issue where Opera gets internal communication errors on Facebook
- Fixed an issue where no webpages load on startup if Opera is disconnected from the Internet
- Fixed an issue where images will not load after back navigation, when a site uses the HTML5 history API (e.g., deviantart.com)
In addition to a number of general and UI issues fixed in this software upgrade, Opera Software resolved two high-severity issues and one low-severity issue. Details of the three security issues are as follows:
An issue where DOM events manipulation might be used to execute arbitrary code:
Particular DOM event manipulations can cause Opera to crash. In some cases, this crash might occur in a way that allows execution of arbitrary code. To inject code, additional techniques would have to be employed.
Issues where use of SVG clipPaths can allow execution of arbitrary code:
When SVG documents with specifically prepared clipPaths are used in Opera, Opera may allow other content to overwrite the memory, before referencing the memory, which will lead to a crash. If an attacker can control the contents being written into memory, execution of arbitrary code may occur.
A problem where CORS requests can omit the preflight request:
Cross-Origin Resource Sharing (CORS) requests are required to send a preflight request if custom headers are included, to check that the host wishes to allow the full request to be made. An example of where this may be needed is for sites that use a custom header with a static value as part of their protection against Cross Site Request Forgery (XSRF) attacks.
In some specific cases, Opera may forget to make the preflight request. This means that any site that uses a custom XMLHttpRequest header as their only protection against XSRF, can have that protection compromised by a specific type of CORS request in Opera. An attacking site could provide that same static header value, and bypass the preflight request, allowing it to submit the request to the target site without permission. In such cases, the HTTP Referer header is sent correctly, which may be used by the target site to detect the attack.
Due to the issue where CORS requests can omit the preflight requests, Opera Software strongly encourages website authors to use more reliable XSRF protection techniques, “such as sending a secret token in the form of data for any HTTP requests (including XMLHttpRequests) that will initiate sensitive actions,” the company said. “These secret tokens can then be validated by the server-side code before performing the action.”
Users can update the software using the program’s built-in updater (choose Opera > Check for Updates), through its auto-updater (this can be turned on in Preferences > Advanced > Security), or from the Opera website.