Phantoms of the Opera fixed

Five days and more than three million downloads after Opera released version 7.0 of its eponymous browser, it has fixed some nasty flaws that give Web sites total access to a user's PC

Opera, the Norwegian software company, rushed to release a patch for the latest major release its multi-platform Web browser on Wednesday, following five security advisories that were released on Tuesday, three of them rated critical.

The advisories, from Israeli company GreyMagic Software, were issued just a week after Opera released version 7.0 of its eponymous browser, reviewed here. On Wednesday, those who had downloaded Opera 7.0 were being urged to upgrade to version 7.01, which fixed the bugs. The upgrade is available on Opera's Web site.

The three critical flaws could allow a Web page to collect files from the user's PC. The first, which stems from a problem with Opera's Javascript console, would allow a site to read cookies -- containing information of Web sites visited, and in some cases usernames and passwords -- from a user's PC. A demonstration of this exploit, published by GreyMagic, allowed a user to browse their own file system from a remote Web page.

The second critical vulnerability, called "Phantom of the Opera", also stems from the Javascript console, and again allows a malicious Web page to read any file on the user's file system, said GreyMagic. It also allows a remote Web page to read emails written or received by M2, Opera's mail program.

The third critical exploit uses a flaw in the browser's graphics-handling routines to achieve the same results.

GreyMagic said Opera "lived up to its excellent response record and released version 7.01 only 5 days after initial notification."

However, the Norwegian firm apparently failed in an earlier attempt to patch the first Javascript bug, which GreyMagic warned of back in November. Opera "apparently failed to understand the core issues and only patched one symptom of the problem," GreyMagic said in its report on the bug.

An Opera spokeswoman said there was "a question of communication -- we did try to address it and we would have liked to have addressed it fully at the time, but we have done it now."

She said Opera has no figures on how many people have downloaded Opera 7.0, but reports three million downloads of Opera 7.0 since the application was first posted on 28 January, 2003. ( is owned by ZDNet UK parent company CNET Networks.) The spokeswoman said Opera had not heard of any users experiencing problems as a result of the flaws.

Opera is available free of charge with a sponsored advertising banner in the top-right corner of the user interface. To remove the advertising banner users must register their version for $39 (about £24).

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.

Let the editors know what you think in the Mailroom.