Posted by: Ken Harthun
Browsers, Opera, Remote Code Execution, Security bulletin, Zero-day exploit, Zero-day vulnerability
Just as Opera completed patches for critical vulnerabilities in its browser, researchers discovered another remote code execution bug. In its recent article, “Opera scrambles to quash zero-day bug in freshly-patched browser,”
The Register reports:
Among the bugs squashed in Opera 9.61 was a stored cross site scripting (XSS) vulnerability that allowed attackers to view victims’ browsing history. That attack is no longer possible, but now researchers have discovered an even more serious exploit that’s based on the same weakness.
Until Opera releases version 9.62, which should be “very, very soon” according to Opera spokesman Thomas Ford, your best bet is to disable iFrames and turn off scripting. Open opera:config and select Extensions|iFrames. Change the setting from “1″ to “0.” Similarly, change Extensions|Scripting from “1″ to “0.”
Bear in mind that the above temporary workaround is going to break a lot of sites that use scripting. It would be simpler if Opera had some way to designate “trusted sites” (or a plug-in like NoScript), but I’m not aware of any way to do this. Hit the comments and let me know if there’s a better workaround (I haven’t used Opera since my conversion to Firefox four years ago).