CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Internet

Opera squashes security bugs

Opera Software issues a patch for the latest major launch of its Web browser after the release of five security advisories--three of them rated critical.

Opera Software has issued a patch for the latest major launch of its Web browser after the release of five security advisories, three of them rated critical.

The advisories, from Israeli company GreyMagic Software, were issued just a week after Opera released version 7.0 of its rewritten browser. On Wednesday, those who had downloaded Opera 7.0 were urged to upgrade to version 7.01, which fixes the bugs. The upgrade is available on Opera's Web site.

The three critical flaws could allow a Web page to collect files from a person's PC. The first flaw, which stems from a problem with Opera's JavaScript console, could allow a site to read cookies containing information of Web sites visited, and in some cases, usernames and passwords from a person's PC. A demonstration of this exploit, published by GreyMagic, allowed a person to browse their own file system from a remote Web page.

The second critical vulnerability, called "Phantom of the Opera," also stems from the JavaScript console and allows a Web page to read any file on the person's file system, GreyMagic said. It lets a remote Web page read e-mails written or received by M2, Opera's mail program.

The third critical exploit uses a flaw in the browser's graphics-handling routines to achieve the same results.

GreyMagic said Opera "lived up to its excellent response record and released version 7.01 only five days after initial notification."

However, Opera apparently failed in an earlier attempt to patch the first JavaScript bug, which GreyMagic warned of back in November. Opera "apparently failed to understand the core issues and only patched one symptom of the problem," GreyMagic said in its report on the bug.

An Opera representative said there was "a question of communication--we did try to address it, and we would have liked to have addressed it fully at the time, but we have done it now."

She said Opera has no figures on how many people have downloaded Opera 7.0, but CNET Download.com reports 3 million downloads of Opera 7.0 since the application was first posted Jan. 28, 2003. CNET Networks is the publisher of News.com.

The Opera spokeswoman said the company had not heard of any people experiencing problems as a result of the flaws.

ZDNet UK's Matt Loney reported from London.