Opera Browser "Content-Length" Processing remote code execution Vulnerability

Original Issue Date: March 10, 2010

Severity Rating: High

Systems Affected

• Opera version 10.50 and prior

Overview

A buffer overflow vulnerability has been reported in Opera web browser that could be exploited by the remote attacker to execute arbitrary code in the context of logged in user.

Description

The vulnerability is caused when processing HTTP responses having a malformed "Content-Length" header. This can be exploited to cause a heap-based buffer overflow via an overly large 64-bit "Content-Length" value, having the higher 32-bit part negative. An attacker could exploit the vulnerability by constructing a specially crafted Web page containing malformed header an persuading the user to visit the site. Successful exploitation of this vulnerability could allow remote attacker to execute arbitrary code or can crash the affected browser.

Workarounds

Do not browse un-trusted websites or follow un-trusted links.

References

Secunia
http://secunia.com/advisories/38820/

VUPEN
http://www.vupen.com/english/advisories/2010/0529

SecurityFocus
http://www.securityfocus.com/bid/38519/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.