Vigil@nce: Opera, using freed memory via Node
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can create a web document altering HTML nodes, in
order to force Opera to use a freed memory area, in order to stop
it, and possibly to execute code.
– Severity: 2/4
– Creation date: 24/10/2011
IMPACTED PRODUCTS
– Opera
DESCRIPTION OF THE VULNERABILITY
Elements of an HTML document can be represented as a tree, which
can be altered in JavaScript via the appendChild() and
removeChild() functions.
However, if a node is cloned with cloneNode(), then deleted with
removeChild() and re-added with appendChild(), Opera dereferences
an invalid pointer.
An attacker can therefore create a web document altering HTML
nodes, in order to force Opera to use a freed memory area, in
order to stop it, and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Opera-using-freed-memory-via-Node-11094