CERT-In Advisory CIAD-2009-40
Multiple Vulnerabilities in Opera
Original Issue Date: September 07, 2009
Severity Rating:Medium
System Affected
Overview
Multiple vulnerabilities have been reported in Opera, which could be exploited to bypass security restrictions and conduct spoofing attacks.
Description 1. Intermediate Certificate Spoofing Vulnerability
(CVE-2009-3046)
This vulnerability exists because Opera fails to check the revocation status for intermediate certificates not served by the server. This may cause sites using revoked intermediate certificates to be shown as secure.
2. URL Spoofing Vulnerability (CVE-2009-3047)
This vulnerability is caused by improper updation of domain name within the collapsed address bar, which could cause the previous domain to be shown instead of the domain of the present site.
This could be exploited by remote attackers to spoof URLs.
3. Limited Address Spoofing Vulnerability (CVE-2009-3049)
This vulnerability is due to certain Unicode characters are treated incorrectly, which might cause International Domain Names (IDN) that use them to be shown in the wrong format. Attackers could exploit this vulnerability to perform limited address spoofing.
4. Security Bypass Vulnerability (CVE-2009-3044)
This vulnerability exists because the browser fails to properly validate the domain name in a signed CA certificate. A remote attacker could exploit this vulnerability by using a certificate which use a wild card immediately before the top level domain, or nulls in the domain name, to be incorrectly interpreted as secure.
Solution
Upgrade to Opera 10 or later
http://www.opera.com/download/
Vendor Information Opera
http://www.opera.com/download/
References Opera
http://www.opera.com/support/kb/view/929/
http://www.opera.com/support/kb/view/930/
http://www.opera.com/support/kb/view/932/
http://www.opera.com/support/kb/view/934/
http://www.opera.com/docs/changelogs/windows/1000/
ISS XFORCE
http://xforce.iss.net/xforce/xfdb/52965
VUPEN Security
http://www.vupen.com/english/advisories/2009/2500
SecurityFocus
http://www.securityfocus.com/bid/36202/
Secunia
http://secunia.com/advisories/36414/
SecurityTracker
http://www.securitytracker.com/alerts/2009/Sep/1022799.html
Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln36202.html
CVE Name
CVE-2009-3044
CVE-2009-3046
CVE-2009-3047
CVE-2009-3049
Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
