Opera Software has confirmed it is working on a patch for  a critical vulnerability in its Opera desktop browser.

The Norwegian browser maker did not set a timeline for fixing the bug, but a spokesman said it would be released "as soon as possible."

The flaw, which Danish bug tracking vendor Secunia rated as 'highly critical', the second-highest ranking in its five-step coring system, can be exploited by attackers to corrupt memory, crash Opera and theoretically execute attack code.

According to the researcher who posted proof-of-concept attack code on the web last week, the bug affects Opera 10, including the newest version, Opera 10.50, which shipped last week.

Opera contested Secunia's initial report of the vulnerability, claiming that the bug is not a security issue because attackers would be able to only crash the browser, not gain control of the PC.

After prompting from Secunia and further investigation, however, Opera conceded that the flaw might be exploitable.

"In a 64bit environment this would still crash, but in a 32bit environment it ... could potentially be used to move memory from one location to another without crashing, provided the specified length was not too long," said Opera spokesman Thomas Ford.

Ford downplayed the threat, saying that it's unlikely any exploit would be reliable enough to pose a risk to users.

"There are so many dependencies in data used in an application like Opera that getting valid data into every location that needs it is rather unlikely, and a crash soon after the corruption is the most likely scenario, unless the final phase of the attack can be carried through very quickly, something which depends on a large number of variables," he added.

Only the Windows versions of Opera contain the vulnerability; users can protect their PCs until a patch is issued by making sure that DEP (data execution prevention) and ASLR (address space layout randomisation) are enabled, said Ford.

Microsoft debuted DEP with Windows XP Service Pack 2 (SP2) in 2004, and began using ASLR with Windows Vista in early 2007. Windows 7 features both security mechanisms.

"Since this is considered a security issue, even if it is currently theoretical, we have a fix ready and are testing it," said Ford.

"The plan is to release an update of Opera soon."

Opera accounted for about 2.4 percent of all browsers used worldwide last month, according to web metrics company Net Applications.

Irish measurement company StatCounter, meanwhile, estimated that Opera owned a two percent global share in February, but a 4.3 percent share in Europe.

The browser is one of the five that appear by default in the first screen of the browser ballot that Microsoft began sending to Windows users in the European Union last week.

See also: Opera sees three-fold increase in downloads