14 DAY TRIAL // The latest version of the Opera browser is affected by a publicly disclosed vulnerability that allows potential attackers to execute arbitrary code remotely.
The flaw was discovered by French security researcher Jordi Chancel who disclosed it on his blog on January 7 and described it as an integer truncation error.
Mr. Chancel noted at the time that even though the crashes are easy to replicate, the address of the memory violation is unpredictable, making exploitation a lot more complicated.
However, on Friday, French vulnerability research vendor VUPEN Security announced that its researchers managed to develop a reliable arbitrary code execution exploit for the vulnerability.
"This issue is caused by an integer truncation error within the Opera Internet Browser module 'opera.dll' when handling a HTML 'select' element containing an overly large number of children," VUPEN writes in its advisory.
The flaw has been confirmed in Opera 11.0 and 10.63 on both Windows 7 and XP, and can be exploited remotely by tricking users to visit a specially crafted Web page.
Fortunately, for the time being there is no public proof-of-concept exploit. VUPEN keeps its attack code private and only shares it with its customers, which include government and corporations, so they can assess the risk and protect themselves accordingly.
There is currently no available patch from the vendor and no estimation on how quickly it will react to the disclosure. There is no CVE ID assigned for the vulnerability either.
According to the latest Security Factsheet published by Danish vulnerability intelligence vendor Secunia, Opera registered four times more vulnerabilities that didn't have a patch at advisory disclosure time last year compared to the preceding twelve months.
The latest stable version of the browser is 11.0 and was released on December 17th. However, the Opera desktop team is also putting out frequent snapshots, the last of which is 11.01 Build 1179 Beta.
Update January 24, 2011: Updated to correct an instance where Mr. Jordi Chancel's name was misspelled.