Opera Lets Remote Users Spoof Extended Validation Address Bar Security Information and Decrypt SSL/TLS Traffic
|
SecurityTracker Alert ID: 1025997 |
SecurityTracker URL: http://securitytracker.com/id/1025997
|
CVE Reference:
CVE-2011-3388, CVE-2011-3389
(Links to External Site)
|
Updated: Sep 27 2011
|
Original Entry Date: Sep 1 2011
|
Impact:
Disclosure of user information, Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 11.51
|
Description:
Two vulnerabilities were reported in Opera. A remote user can spoof the address bar security information. A remote user can decrypt SSL/TLS sessions in certain cases.
A remote user can create specially crafted HTML that, when loaded by the target user, will cause the browser to display the security information for one resource in the address field and page information dialog but content on the page for a different resource. As a result, unsecure web content may appear to the target user to be secure.
Roland Reck reported this vulnerability.
A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions. Thai Duong and Juliano Rizzo reported this vulnerability.
[Editor's note: The vendor stated that the decryption flaw is a "low severity" flaw.]
|
Impact:
A remote user can create HTML that, when loaded by the target user, will spoof the address bar security information.
A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions.
|
Solution:
The vendor has issued a fix (11.51).
The vendor's advisory is available at:
http://www.opera.com/support/kb/view/1000/
|
Vendor URL: www.opera.com/support/kb/view/1000/ (Links to External Site)
|
Cause:
Access control error, Not specified
|
Underlying OS: Linux (Any), UNIX (FreeBSD), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|