Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera Web Browser May Execute Files Selected for Download Instead of Prompting the User for Approval
SecurityTracker Alert ID:  1001400
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 23 2001
Impact:   Execution of arbitrary code via local system

Version(s): 5.02
Description:   A vulnerability has been reported in the Opera 5.02 web browser on Windows 98. The browser may, in certain situations, automatically execute certain files selected for download.

It is reported that the vulnerability applies to Opera 5.02 Build 856a (with no Java Runtime Environment installed) on Windows 98. If a file name ending with a ".exe" extension is downloaded, the browser will issue a security warning box asking the user to "open or save." If the user selects "open", the file will be opened with the default application associated with *.exe files. After that, all links that contain a file to be downloaded [presumably with *.exe file names] will reportedly be automatically opened by the browser without any input from the user.

The report also indicates that a file containing certain javascript code can cause the browser to crash (see the source message for details on this aspect of the vulnerability).

Impact:   An executable file selected for download may be automatically executed by the browser without the browser asking the user for confirmation.
Solution:   The report notes that a more recent release of Opera (5.10O Build 902) is not vulnerable. [Editors note: The current version is 5.11.]
Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Windows (98)

Message History:   None.

 Source Message Contents

Subject:  AGAIN: Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No

 Thursday, 19 April, 2001

There is an interesting oddity with the 'free' Opera 5.02 Build 856a (No
Java Runtime Environment installed) on Windows 98 with downloading files. In
particular *.exe. While the array of file type associations and instructions
what to do with them is wide, the instruction set for *.exe simply does not

Normally when executing a file download, the security warning box is invoked
asking whether you wish to 'open or save' -- this is default. Also, as it
should be, the ability to uncheck-mark the security warning box is greyed

However if you select open, the file association settings seem to
automatically register 'open with default application' instead of reverting
to 'show download dialog'. Naturally, thereafter any file download is
automatically opened.

Simply put:

will (should) invoke the security warning download dialog

(screen shot: 31KB)

But because we intend to install from the trusted source, we select 'open
file' in order to install, thereafter the file association settings seem to
register themselves to always 'open with default application' for an *.exe

and naturally when we go to:

[working example: harmless *.exe automatically launched] simply viewing the page or clicking on
the link automatically runs our *.exe

Once again: test vehicle 'free' Opera 5.02 Build 856a (No Java Runtime
Environment installed) on Windows 98

Additionally we can crash it extremely hard with simple, yet unorthodox
JavaScripting squeezed into a shockwave file:

custom create a shockwave file (*.swf), select the interactive text or
button and force into the href field:

javascript:document.location="*.xbm?<script>alert()</script> simply add <img
src="malware.xbm">  -- what happens is Opera locates the *.xbm (we use an
obscure file to ensure no others are likely to be in the cache) and views it
automatically from the cache (note: without the need for a name):

(screen shot: 25KB)

and the simple alert() then tries to fire from within the cache resulting

OPERA caused an invalid page fault in
module OPERA.EXE at 015f:004e2b1a.
EAX=00fcc0f0 CS=015f EIP=004e2b1a EFLGS=00010206
EBX=017855fc SS=0167 ESP=0084e530 EBP=0084e54c
ECX=00580038 DS=0167 ESI=01f701c3 FS=0e87
EDX=00007470 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
80 3e 00 74 19 56 e8 eb 6e 05 00 40 50 e8 cf 6d
Stack dump:
00000000 00fcc110 00455f8a 01f701c3 0058002c 01785c40 01ee3f90 0084e570
00455e4f 00000002 00000001 0058002c 01f701c3 00000000 00000000 017856a0


1. Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No Java Runtime
Environment installed)
2. In the 10 days from today's date since the download and installation of
the 'free' Opera 5.02 Build 856a (No Java Runtime Environment installed),
the manufacturer has since come out with a newer
version: Opera 5.10 Build 902 which doesn't appear to be affected at all.
3. There also doesn't appear to be any mention of the above findings
anywhere for 'free' Opera 5.02 Build 856a (No Java Runtime Environment
installed) on Windows 98
4. Suggest to test your version/configuration and upgrade if affected
5. This all may very well be a unique combination system configuration

One More Time: Tested on Windows 98 with 'free' Opera 5.02 Build 856a (No
Java Runtime Environment installed)


Send a cool gift with your E-Card


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC