Alternative Web browser company Opera Software on Thursday pushed out a new version of its flagship browser to fix several cross-site scripting vulnerabilities discovered by private security researchers.
The Norwegian company recommends that Windows users upgrade to Opera 8.0.1 to protect against malicious hacker attacks.
In all, the Opera update addresses five different vulnerabilities and also fixes a range of other security-related bugs.
The most serious issue, according to Operas changelog, is an XMLHttpRequest redirect vulnerability that can be exploited by malicious attackers to steal content or to perform actions on other Web sites with the target users privileges.
Security research outfit Secunia Inc., which discovered and reported the flaw to Opera, rates it as “moderately critical.”
Under normal circumstances, Secunia said it should not be possible for the XMLHttpRequest object to access resources from outside the domain of which the object was opened.
“However, due to insufficient validation of server side redirects, it is possible to circumvent this restriction [in Opera].”
The Opera update also patches a separate cross-site scripting flaw that could lead to the discovery of local files on vulnerable machines. This bug is also rated “moderately critical” by Secunia.
A third vulnerability that is caused due to input not being sanitized was also fixed. This could also put users at risk of cross-site scripting attacks.
The Opera 8.0.1 update also provides a fix for a window injection bug that can be exploited to spoof the content of Web sites.
Opera said the browser refresh also provides improved accuracy of the security bar and modified security icon behavior to properly report the security levels when a certificate is accepted manually.
The security fixes come just two months after Opera shipped Version 8 for Windows and Linux users, touting fast performance and new security features.
The new Opera browser is available as a free download in four languages: English, German, Dutch and Polish. A paid version that strips out the embedded banner ad is also available.