Opera Plugs Three Security Holes

Opera Software on Thursday shipped an updated version of its Opera for Windows Web browser to fix a trio of potentially serious security vulnerabilities.

The Norwegian company recommends that Windows users upgrade to Opera 8.0.2 to protect against malicious hacker attacks.

The most serious of the three flaws is due to an error in the handling of extended ASCII codes in the download dialog.

Security research outfit Secunia Inc., which discovered the flaw, has tagged it as “moderately critical” and warned that attackers could trick users into executing malicious files.

/zimages/6/28571.gifClick here to read eWEEK Labs review of Opera 8.0.

“This can be exploited to spoof the file extension in the file download dialog via a specially crafted Content-Disposition HTTP header. Successful exploitation may result in users being tricked into executing a malicious file via the download dialog, but requires that the Arial Unicode MS font (ARIALUNI.TTF) has been installed on the system,” according to an advisory from Secunia.

The “Arial Unicode MS” font is installed with various Microsoft Office distributions. Secunia has confirmed the vulnerability in Opera 8.01 but cautioned that other versions may also be affected.

The Opera browser upgrade has also fixed an image dragging vulnerability and a link hijacking issue that put Windows users at risk.

According to Opera, the patched browser also improves the default handling of encodings in spelling checker and adds improved support for XMLHttpRequest.

The update can be found at Operas download center.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.