A beveiligingsonderzoeker has an exploit for the Opera published. With the exploit enables attackers to execute code on systems of Opera-users. It comes to a so-called ‘zero day’flaw: there is still no patch for.
The vulnerability occurs in the handling of svg graphics within a frameset, writes The H Security. Beveiligingsonderzoeker José Vazquez would it leak all of a year ago, having discovered Opera after two months, have informed. Vazquez writes on his weblog that the so-called ‘zero day’vulnerability is: there is still no patch for. The exploit allows attackers to run code of their systems of Opera-users. The exploit can be the data execution prevention protection in Windows, but then it will be onbetrouwbaarder.
It is unclear whether Opera also no attempts has been done to the bug to close: according to Vazquez has Opera in may, a leak poem, but at the same time claims to be the beveiligingsonderzoeker that the browsermaker has decided to use the leak does not resolve. May be going to multiple vulnerabilities. It is clear, however, that the exploit still works: in the latest Opera version, three in ten attempts is successful, against six out of ten in the latest alphaversie of Opera.
The exploit is as a module for the penetration testing framework Metasploit released. Also, the source code is published. Therefore, in principle, everyone the exploit to use. Vazquez does not explicitly explain why he has chosen to use the exploit make it accessible for everybody, but he seems to be unhappy with the way Opera with specified vulnerabilities, handles.
Update, 14:45: The exploit only seems to work under Windows XP with Service Pack 3.