Software update: Opera 7.54u1

Opera has in response to some security bugs released a new version of the Internet surfer in its Opera web browser in the form of 7.54u1. This version is available for download in two different versions: the first download consists of Opera 7.54u1 without Java, while the second download is a few megabytes heavier and comes with Java. You can read below which security bugs are targeted. According to DataGhost, version 7.54u1 also includes the bug fixes that were found in the preview version:

Opera security advisory

• Named frames or windows can be hi-jacked by malicious frames or windows.
• Periods in the file name and non-breaking spaces in the Content-Type header can make the save/open dialog misleading. A user may be convinced that an executable file is something else, for example a PDF document.
• Applets have access to sun.* packages
• Liveconnect: com.opera.EcmascriptObject constructor is accessible to Java
• Liveconnect reveals the path to the user’s home directory. This can make other vulnerabilities easier to exploit.

Opera’s response

• Tightened origin check for frames. A side effect of this is that documents not passing the origin check will open in a new page.
• Fixed issue reported by Marc Schönefeld: intrusive JavaScript or Java applet could exploit Sun Java vulnerability to retrieve logged-in user’s username and install directory.
• Fixed LiveConnect class access security issue reported by Jouko Pynnonen.
• Fixed Secunia issue SA12981reported by Andreas Sandblad: periods in the file name and non-breaking spaces in content-type header type could obscure the file type.
• Fixed Secunia issue SA13253: “hi-jacking” a named browser window.
• Improved support for the “must-revalidate” cache directive.