Opera 7 Holes Detected; Multimodal Toolkit Released
The alternative Web browser project plans to release a new version to plug potential security breaches; Separately, the multimodal toolkit built in partnership with IBM is now available for download.
A spokesman for Opera Software confirmed that the five security vulnerabilities, three of which are considered "critical" were detected by Israeli security research firm GreyMagic and said work is progressing on a patch to be released soon.
The multimodal technology allows the development and execution of multimodal applications written to XHTML+Voice (X+V) standard and browsers built with the toolkit would allow users to access Web and voice data from a personal digital assistant or Web-capable phone, Opera said.
It comes with a multimodal editor in which developers can write both XHTML and VoiceXML in the same application; reusable blocks of X+V code; and a simulator to test the applications.
On the security front, GreyMagic issued five advisories for "severe flaws" in the latest version of Opera's flagship browser, hailed as the third most popular behind Microsoft's Internet Explorer and AOL's Netscape.
"Three of the vulnerabilities are rated critical, as they allow full read access to the user's file system, including the ability to list contents of directories, read files (and) access e-mails," GreyMagic cautioned.
First up, GreyMagic warned that Opera 7's default cross-domain security model leaves users open to intruder attacks. It said three flaws in the browser security model could potentially let an attacker access local resources on an infected machine.
One particularly flaw is described as "devastating" because it could potentially let an attacker "trojanize native methods in the victim window with his own code and simply wait for the victim to execute it."
"With these three flaws combined, it becomes extremely easy to exploit any document that uses some scripting, including local resources in the file:// protocol," GreyMagic warned, noting that a successful intruder would be able to read any file on the user's file system, read the contents of directories and read e-mails written or received by M2, Opera's built-in mail program.