最新Opera浏览器漏洞：黑客可远程执行Windows和macOS上的文件

Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system.

网络安全研究人员披露了Opera网络浏览器在Microsoft Windows和Apple macOS上的一个安全漏洞，该漏洞可被利用来执行底层操作系统上的任何文件。

The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow that makes it possible to sync messages and files between mobile and desktop devices.

远程代码执行漏洞已被Guardio Labs研究团队命名为MyFlaw，因为它利用了一个名为My Flow的功能，该功能使在移动设备和桌面设备之间同步消息和文件成为可能。

"This is achieved through a controlled browser extension, effectively bypassing the browser's sandbox and the entire browser process," the company said in a statement shared with The Hacker News.

“这是通过受控浏览器扩展实现的，有效地绕过了浏览器的沙箱和整个浏览器进程，”该公司在与The Hacker News分享的一份声明中说。

The issue impacts both the Opera browser and Opera GX. Following responsible disclosure on November 17, 2023, it was addressed as part of updates shipped on November 22, 2023.

该问题影响了Opera浏览器和Opera GX。在2023年11月17日进行负责任的披露后，它作为2023年11月22日版本更新的一部分进行了处理。

My Flow features a chat-like interface to exchange notes and files, the latter of which can be opened via a web interface, meaning a file can be executed outside of the browser's security boundaries.

My Flow具有类似聊天界面的功能来交换笔记和文件，文件可以通过Web界面打开，这意味着文件可以在浏览器安全边界之外被执行。

It is pre-installed in the browser and facilitated by means of a built-in (or internal) browser extension called "Opera Touch Background," which is responsible for communicating with its mobile counterpart.

它已经预安装在浏览器中，并通过内置的浏览器扩展“Opera Touch Background”来实现，该扩展负责与其移动设备对应部分进行通信。

This also means that the extension comes with its own manifest file specifying all the required permissions and its behavior, including a property known as externally_connectable that declares which other web pages and extensions can connect to it.

这也意味着该扩展程序带有其自己的清单文件，其中指定了所有必要的权限及其行为，包括一个名为externally_connectable的属性，宣布了哪些其他网页和扩展可以连接到它。

In the case of Opera, the domains that can talk to the extension should match the patterns "*.flow.opera.com" and ".flow.op-test.net" – both controlled by the browser vendor itself.

在Opera的情况下，可以与该扩展程序通信的域应与由浏览器供应商自己控制的“*.flow.opera.com”和“.flow.op-test.net”模式相匹配。

"This exposes the messaging API to any page that matches the URL patterns you specify," Google notes in its documentation. "The URL pattern must contain at least a second-level domain."

谷歌在其文档中指出，“这将会向您指定的URL模式至少包含一个二级域。”

Guardio Labs said it was able to unearth a "long-forgotten" version of the My Flow landing page hosted on the domain "web.flow.opera.com" using the urlscan.io website scanner tool.

"The page itself looks quite the same as the current one in production, but changes lie under the hood: Not only that it lacks the [content security policy] meta tag, but it also holds a script tag calling for a JavaScript file without any integrity check," the company said.

该公司表示：“该页面本身看起来与当前生产中的页面非常相似，但变更隐藏在幕后：不仅缺少[内容安全策略]meta标签，而且还包含一个调用JavaScript文件的脚本标签，而不进行任何完整性检查。”

"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API."

这正是攻击者所需要的——一个不安全的、被遗忘的、易受代码注入攻击的资产，最重要的是，拥有对（非常）高权限的本机浏览器API的访问。

The attack chain then hinges, creating a specially crafted extension that masquerades as a mobile device to pair with the victim's computer and transmit an encrypted malicious payload via the modified JavaScript file to the host for subsequent execution by prompting the user to click anywhere on the screen.

攻击链接着，创建一个伪装成移动设备的特制扩展程序，以与受害者的计算机配对，并通过修改后的JavaScript文件向主机传输加密的恶意载荷，以便在提示用户在屏幕的任何位置点击后在主机上进行后续执行。

The findings highlight the increasing complexity of browser-based attacks and the different vectors that can be exploited by threat actors to their advantage.

这些发现凸显了基于浏览器的攻击日益增长的复杂性，以及威胁行为者可以利用的不同向量。

"Despite operating in sandboxed environments, extensions can be powerful tools for hackers, enabling them to steal information and breach browser security boundaries," the company told The Hacker News.

该公司告诉The Hacker News：“尽管处于沙箱化环境中，扩展程序仍然可以成为黑客的有力工具，使其能够窃取信息并突破浏览器安全边界。”

"This underscores the need for internal design changes at Opera and improvements in Chromium's infrastructure. For instance, disabling third-party extension permissions on dedicated production domains, similar to Chrome's web store, is recommended but has not yet been implemented by Opera."

“这凸显了Opera需要进行内部设计变更，并改进Chromium的基础设施。例如，禁用专门生产域上的第三方扩展权限，类似于Chrome的网络商店，是值得推荐的，但Opera尚未实施。”

When reached for comment, Opera said it moved quickly to close the security hole and implement a fix on the server side and that it's taking steps to prevent such issues from happening again.

Opera在被要求置评时表示，它迅速采取措施关闭安全漏洞并在服务器端实施修复措施，同时正在采取措施防止类似问题再次发生。

"Our current structure uses an HTML standard, and is the safest option that does not break key functionality," the company said. "After Guardio alerted us to this vulnerability, we removed the cause of these issues and we are making sure that similar problems will not appear in the future."

该公司表示：“我们当前的结构使用的是HTML标准，是不会破坏关键功能的最安全选项。在Guardio警告我们存在这个漏洞后，我们消除了这些问题的根本原因，并确保类似问题不会再次出现。”

"We would like to thank Guardio Labs for their work on uncovering and immediately alerting us to this vulnerability. This collaboration demonstrates how we work together with security experts and researchers around the world to complement our own efforts at maintaining and improving the security of our products and ensuring our users have a safe online experience."

“我们要感谢Guardio Labs对发现并立即向我们报告这一漏洞的工作。这一合作展示了我们如何与世界各地的安全专家和研究人员合作，以补充我们自己在维护和改进产品安全方面的努力，并确保我们的用户拥有安全的在线体验。”

原文始发于微信公众号（知机安全）：最新Opera浏览器漏洞：黑客可远程执行Windows和macOS上的文件