The advisories, from Israeli company GreyMagic Software, were issued just a week after Opera released version 7.0 of its eponymous browser. On Wednesday, those who had downloaded Opera 7.0 were being urged to upgrade to version 7.01, which fixed the bugs. The upgrade is available on Opera's Web site.
The three critical flaws could allow a Web page to collect files from the user's PC. The first, which stems from a problem with Opera's Javascript console, would allow a site to read cookies -- containing information of Web sites visited, and in some cases usernames and passwords -- from a user's PC. A demonstration of this exploit, published by GreyMagic, allowed a user to browse their own file system from a remote Web page.
The second critical vulnerability, called "Phantom of the Opera", also stems from the Javascript console, and again allows a malicious Web page to read any file on the user's file system, said GreyMagic. It also allows a remote Web page to read emails written or received by M2, Opera's mail program.
The third critical exploit uses a flaw in the browser's graphics-handling routines to achieve the same results.
GreyMagic said Opera "lived up to its excellent response record and released version 7.01 only five days after initial notification."
However, the Norwegian firm apparently failed in an earlier attempt to patch the first Javascript bug, which GreyMagic warned of back in November. Opera "apparently failed to understand the core issues and only patched one symptom of the problem," GreyMagic said in its report on the bug.
An Opera spokeswoman said there was "a question of communication -- we did try to address it and we would have liked to have addressed it fully at the time, but we have done it now."
She said Opera has no figures on how many people have downloaded Opera 7.0, but Download.com reports three million downloads of Opera 7.0 since the application was first posted on 28 January, 2003. (Download.com is owned by ZDNet UK parent company CNET Networks.) The spokeswoman said Opera had not heard of any users experiencing problems as a result of the flaws.
