Hints that other software remains at risk from a cross-site scripting vulnerability


(Computerworld) Opera Software ASA today patched seven vulnerabilities in its flagship Opera browser, but it declined to provide information about one of the bugs.

The Oslo-based browser developer hinted that other programs, not yet unpatched, were also affected by the flaw.

Today's update to Opera 9.52 fixes multiple bugs -- seven in the Windows version, five in the Mac edition and six in the Linux browser -- that range from "extremely severe" to "not severe" in the company's five-step threat-ranking system.

What was unusual, however, was that Opera omitted an explanation for one of the fixed flaws. Instead, the company simply stated in the change log: "Fixed an issue that could allow cross-site scripting, as reported by Chris Weber of Casaba Security; details will be disclosed at a later date."

When asked for more information on the cross-site scripting vulnerability, Opera spokesman Thomas Ford hinted that other software might be involved. "Opera thinks it is acceptable under specific circumstances to release a security update without publishing an advisory...........


More: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113080&source=NLT_PM&nlid=8