Opera 7 Holes Detected; Multimodal Toolkit Released

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Norway-based alternative Web browser firm Opera Software has confirmed five security holes in the new Opera 7 and plans to release a new version by Wednesday.

A spokesman for Opera Software confirmed that the five security vulnerabilities, three of which are considered "critical" were detected by Israeli security research firm GreyMagic and said work is progressing on a patch to be released soon.

News of the potential breaches come on the day Opera announced its Multimodal Browser and Toolkit, built in partnership with IBM, was now available for download.

The multimodal technology allows the development and execution of multimodal applications written to XHTML+Voice (X+V) standard and browsers built with the toolkit would allow users to access Web and voice data from a personal digital assistant or Web-capable phone, Opera said.

X+V is a standard for multimodal interfaces so that applications can be written once and used in different environments -- including Web pages, telephones and handheld devices. Opera said the toolkit, built on the Eclipse framework, would let developers use existing skills instead of learning a completely new language, cutting down on overall development time.

It comes with a multimodal editor in which developers can write both XHTML and VoiceXML in the same application; reusable blocks of X+V code; and a simulator to test the applications.

On the security front, GreyMagic issued five advisories for "severe flaws" in the latest version of Opera's flagship browser, hailed as the third most popular behind Microsoft's Internet Explorer and AOL's Netscape.

"Three of the vulnerabilities are rated critical, as they allow full read access to the user's file system, including the ability to list contents of directories, read files (and) access e-mails," GreyMagic cautioned.

First up, GreyMagic warned that Opera 7's default cross-domain security model leaves users open to intruder attacks. It said three flaws in the browser security model could potentially let an attacker access local resources on an infected machine.

One particularly flaw is described as "devastating" because it could potentially let an attacker "trojanize native methods in the victim window with his own code and simply wait for the victim to execute it."

"With these three flaws combined, it becomes extremely easy to exploit any document that uses some scripting, including local resources in the file:// protocol," GreyMagic warned, noting that a successful intruder would be able to read any file on the user's file system, read the contents of directories and read e-mails written or received by M2, Opera's built-in mail program.

The company recommended that Opera 7 users disable Javascript in the browser until the company issues a patch to plug the holes.

GreyMagic also issued separate advisories for less serious bugs in the new browser's new Javascript console and the way Opera 7 renders images. Both vulnerabilities can be temporarily fixed by disabling Javascript.

Submit a Comment

Loading Comments...