[CVE-2012-1925] Overlapping content can trick users into executing downloads


Advisory: Overlapping content can trick users into executing downloads


CVE-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1925


UPDATE Link: http://www.opera.com/fr/security/advisory/1011


Announced: March 26, 2012
Reporter: Security researcher Jordi Chancel
Impact: High
Products: Opera
Fixed in: Opera 11.62


Description

Dialogs such as the download dialog are usually displayed on top of page content, to ensure that the user knows that the dialog is requesting attention. In some cases, this policy was not implemented correctly in Opera, allowing certain page content to overlay the dialog. In these cases, clicking the page content causes the dialog to be clicked instead. While an attacker may not have much control over the appearance of the overlapping content, they may be able to use it to trick the user into performing harmful actions, such as running a downloaded executable.

Opera’s Response

Opera Software has released Opera 11.62, where this issue has been fixed.


Credits

Thanks to Jordi Chancel for reporting this issue to Opera Software.


  • Vidéo de démonstration :


-Security Researcher Jordi Chancel

Comments are closed.