Opera Security Patched In Secret 88
An anonymous reader writes "Opera 9.10 released in December seemed to be a rather cosmetic update. But as heise Security reports, behind the scenes Opera patched two remote code execution holes — neither of them mentioned in the changelog. In addition, Opera rates an exploitable heap overflow as 'moderate' because it is 'not trivial to exploit it reliably'. From the article: 'JPEG images can be specially prepared to cause a buffer overflow on the heap. Even though Opera suggests in the heading to its security notice that this problem only causes the browser to crash, the flaw can nonetheless be exploited to inject and execute code. Security service provider iDefense, which reported the hole to Opera, has confirmed this. The same holds true for a flawed type conversion in the JavaScript support for Scalable Vector Graphics (SVG). Attackers can specially call the function createSVGTransformFromMatrix to have the browser execute code with the user's rights.'"
Targeted attacks (Score:1, Informative)
(There's also been an outbreak of "geek spam" (phishing, typically) containing technical jargon in an attempt to get under IT geeks' radar, but that's a story for another day... Don't be fooled! :)
Re:patched in secret (Score:5, Informative)
Re:patched in secret (Score:5, Informative)
To get the patched version distributed and installed in a majority of your userbase. It doesn't work that well for open source software because you can diff the source, but it does tend to buy a little time for closed source software if hackers are using your own security bulletins to create the exploit. I think even OpenSSH has used the "you should urgently upgrade to the latest version, but we won't tell you why" to the same effect. But, and this is a big BUT, you shouldn't rely on users upgrading just for the hell of it. You need to tell them this contains critical security fixes, upgrade NOW. That doesn't mean you need to tell hackers exactly where the flaw is.
Re:You deserve to control your computer. (Score:3, Informative)
Free software [gnu.org] cannot be proprietary. In fact, it is the free software movement's proponents who argue that proprietary software is unethical and has no place in society. The only time the folks at the FSF install proprietary software is when they're working on a free replacement program. A user's freedoms to run, inspect, share, and modify software are the freedoms all computer users must have. The reason why we need these freedoms are ethical issues which the free software movement identifies and pursues as such, raising issues of social solidarity to make their point.
By contrast, the open source movement argues for an increase in developmental efficiency and never discusses social solidarity. This technocratic message not only carries no weight with most computer users (who aren't developers), it stresses the quality of the programming over what users are allowed to do with a copy of the program once they get it. This is why a few OSI-approved licenses are considered non-free (such as the v1.x revisions of the Apple Public Source License)—the criteria for acceptance comes from the movements' different philosophies. This is also why open source proponents sometimes side with proprietors—running proprietary video drivers instead of switching to other hardware or simply doing without the fancy 3D graphics; setting up repositories where users can more easily acquire copies of proprietary software (like the Ubuntu GNU/Linux repo which carries Opera, among other proprietary programs). Some open source movement proponents even drop the pursuit of technical superiority when faced with an argument of popularity, which is why some endorse the use of the patent-encumbered MP3 lossy audio codec when Ogg Vorbis is not only technically superior (as demonstrated in numerous blind listening tests) but has objectively better tagging. Open source proponents have no means to argue against technically superior programs even when the license for those programs hold users separate and helpless to control their own computers.
Years ago, Richard Stallman wrote about the difference between the two movements [gnu.org]. More recently, he addressed this difference [fsfeurope.org] when he spoke at the fifth international GPLv3 conference in Tokyo in 2006. One interesting consequence of the differences is what you have to start with if you want the social solidarity the free software movement champions as well as powerful reliable software.
Finally, it's important to not conflate the difference between freedom and skill. Freedom has to do with permission. I have the freedom to criticize my government even though I can't write as well as the man whose pen name was William Shakespeare. I could choose to spend more time reading and learning to write better, as he did. My lack of skill does not in any way justify denying me my freedom of speech. So how well I can do this task, how well others I trust can do it, doesn't enter into the situation.
Re:dev blogs and such (Score:3, Informative)
please, please give us an open bugzilla. that will benefit you and that will benefit your users - problems will not be reported 10 times, only 2 or 3
if you feel that some bugs (like security problems) would be much better handled in a non-public way - hey, most security researchers know how to contact security@whatever.org - and you probably could do what novell are doing - a checkbox in a bug submitting form "this should be viewable only by opera" and so on.