Opera has shipped a high-priority update to its flagship Web browser to correct multiple flaws that put Windows users at risk of malicious hacker attacks. With Opera 9.26 for Windows, the Norwegian company shipped patches for at least three vulnerabilities that can be exploited to launch malware installations or conduct identity theft attacks. The most serious of the three bugs—rated “highly severe” by Opera—can cause the browser to be tricked into treating custom comments in image properties as script.
“This can cause the script to be run in the wrong security context,” the company warned. The update also fixes a “moderately severe” issue where simulated text inputs could trick users into uploading arbitrary files.
“When a user types into a file input, scripts can cause some of the keystrokes to be ignored. If the script can convince the user that they are typing into a normal text input, and not let them see that their keystrokes are being ignored, it can cause the input to point to known file paths on the user’s computer. The file can then be uploaded without user interaction,” Opera said.