• United States



by Paul Kerstein

Opera Patches Two Browser Security Flaws

Nov 28, 20052 mins
CSO and CISOData and Information Security

Opera Software ASA has released an upgrade addressing two serioussecurity flaws involving Macromedia’s Flash Player and a code executionbug affecting Linux and Unix users.

The first problem relates to Flash Player and was made public earlierthis month. Macromedia warned that the bug in Flash Player, one of themost widely used pieces of software on the desktop, could allowattackers to take over a system.

The security research firm co-credited with discovering the bug, eEye,said it had demonstrated “reliable exploitation” using the bug in theInternet Explorer browser, but other browsers are also said to be justas open to attack.

Opera’s fix arrived this week with Opera 8.5.1, which includes Flash Player version 7r61, fixing the problem.

The release also fixes a problem identified by Secunia Research,involving the shell script used to launch Opera in Linux and Unixenvironments. The flawed script processes shell commands enclosed inURLs passed to Opera via the command line.

That means an attacker could execute malicious shell commands on auser’s system via an innocent-seeming URL in an email message, forexample. The command would be executed when the user clicked on the URLand invoked Opera.

The shell script bug doesn’t just affect Opera — it is a variant of a problem with the Firefox browser disclosed in September.

Opera said the update also improves stability when viewing pages with Java for users of Japanese Mac OS X systems.

By Matthew Broersma –