('binary' encoding is not supported, stored as-is)
Hello all -
I don't have time for a fancy advisory format, but I did want to disclose an issue.
Sometime in early October (late September?), around the time Opera 9.6 was released, I noticed that you could get it to crash after supplying the file:// handler with ~16,500 characters. I played around with it, but having very little memory corruption skillz I wasn't able to do much with it. I did, however, contact Opera through their web submission form.
Opera 9.61 was released in late October and still no fix. I contacted Opera using the e-mail address provided by the web form to follow up on the bug. Opera 9.62 then came out and still nothing.
I contacted Guido Landi aka k`sOSe to take a look. We determined that the file:// handler cannot be invoked from the Internet, but, it does work from a local HTML file. k`sOSe figured out that it was a heap overflow and was able to write a PoC for the bug: http://milw0rm.com/exploits/7135
Since Opera doesn't seem to care at all about this bug, I figured it was time to notify the public.
send9 <send9 [at] chiseclabs.com>
Received on Nov 17 2008
Intro
