COMMAND

    Opera

SYSTEMS AFFECTED

    Opera 5.02 Build 856a

PROBLEM

    'http-equiv' found following.  There is an interesting oddity with
    the  'free'  Opera  5.02  Build  856a (No Java Runtime Environment
    installed) on Windows  98 with downloading  files.  In  particular
    *.exe.  While the array of file type associations and instructions
    what to do with them is wide, the instruction set for *.exe simply
    does not stick.

    Normally when executing a file download, the security warning  box
    is invoked asking whether  you wish to 'open  or save' -- this  is
    default.  Also, as it  should be, the ability to  uncheck-mark the
    security warning box is greyed out.

    However if you select open, the file association settings seem  to
    automatically register 'open with default application' instead  of
    reverting to  'show download  dialog'.   Naturally, thereafter any
    file download is automatically opened.

    Simply put:

        http://opera.online.no/win/ow32enen510.exe

    will (should) invoke the security warning download dialog

        (screen shot: http://www.malware.com/foopera.jpg 31KB)

    But  because  we  intend  to  install  from the trusted source, we
    select  'open  file'  in  order  to  install,  thereafter the file
    association settings seem to  register themselves to always  'open
    with default application' for an  *.exe  and naturally when  we go
    to:

        [working example: harmless *.exe automatically launched]

    http://www.malware.com/fauxpera.html  simply  viewing  the page or
    clicking on the link automatically runs our *.exe

    Once again:  test vehicle  'free' Opera  5.02 Build  856a (No Java
    Runtime Environment installed) on Windows 98.

    Additionally  we  can  crash  it  extremely  hard with simple, yet
    unorthodox JavaScripting squeezed into  a shockwave file:   custom
    create a shockwave  file (*.swf), select  the interactive text  or
    button and force into the href field:

        javascript:document.location="*.xbm?<script>alert()</script>

    simply add

        <img src="malware.xbm">

    What happens is  Opera locates the  *.xbm (we use  an obscure file
    to ensure no others  are likely to be  in the cache) and  views it
    automatically from the cache (note: without the need for a name):

        (screen shot: http://www.malware.com/bar.jpg 25KB)

    and the simple  alert() then tries  to fire from  within the cache
    resulting in:

        OPERA caused an invalid page fault in
        module OPERA.EXE at 015f:004e2b1a.
        Registers:
        EAX=00fcc0f0 CS=015f EIP=004e2b1a EFLGS=00010206
        EBX=017855fc SS=0167 ESP=0084e530 EBP=0084e54c
        ECX=00580038 DS=0167 ESI=01f701c3 FS=0e87
        EDX=00007470 ES=0167 EDI=00000000 GS=0000
        Bytes at CS:EIP:
        80 3e 00 74 19 56 e8 eb 6e 05 00 40 50 e8 cf 6d
        Stack dump:
        00000000 00fcc110 00455f8a 01f701c3 0058002c 01785c40 01ee3f90 0084e570
        00455e4f 00000002 00000001 0058002c 01f701c3 00000000 00000000 017856a0

SOLUTION

    The manufacturer  http://www.opera.com has  come out  with a newer
    version: Opera 5.10 Build 902 which doesn't appear to be  affected
    at all.