By Carsten Eiram
There has lately been some confusion about a vulnerability reported in the Opera browser and rightly so based on the different statements having been issued.
The vulnerability was reported as an integer overflow when processing the "Content-Length" header and accompanied by a PoC that always crashed when copying memory due to an overly large size. Based on the provided PoC and report, it immediately seemed like the crash would always occur and executing code would not be possible.
Before issuing a Secunia advisory, a security specialist was tasked with thoroughly analysing the vulnerability report, cause of the crash, and potential impact. It turned out that the vulnerability is not caused by an integer overflow error. Instead, in certain cases when a 64-bit "Content-Length" value is interpreted as negative, the higher 32-bit value is ignored and lower 32-bit value is used to copy data. It is, therefore, possible to manipulate the size value in a manner to successfully corrupt memory and occasionally cause conditions where it is possible to gain control of the execution flow.
At least one other site did, as usual, abuse the opportunity to hype the vulnerability and refer to it as a 0-day, which is misleading as no working exploit has been published nor is the vulnerability being actively exploited. Instead, it was an uncoordinated (commonly termed: "irresponsible") disclosure as the vulnerability report was published without the reporter first informing the vendor.
Adding to the confusion, Opera Software's initial analysis of the vulnerability concluded that it was not a vulnerability and this was communicated on the Opera Software forum and to the media. Opera Software also contacted Secunia, asking us to update our advisory or alternatively that we provide them with additional information.
During the past days, we have, therefore, been working with Opera Software and providing them with details to clarify that the threat is not just a crash, but has code execution potential. Opera Software has acknowledged to us that they are now handling it as a security issue and will be issuing an advisory and fix as soon as possible.
Chief Security Specialist