|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi out there, there have been questions concerning the criticality of the opera 7.54 security hole series which was published last month (http://archives.neohapsis.com/archives/bugtraq/2004-11/0250.html). - From my subjective point of view, the opera bug is worse for users, because it is not fixed in the core product, only in the beta version, while the sun plugin bug has been fixed since 1.4.2_06. Remember: Opera does not use the standard plugin mechanism although they allow to use a standard jre. This should not be mixed up. The opera implementation does allow to load any sun.* class by the applet regardless of the JDK version installed. This is comparable in criticality to the plugin bug. What makes things worse is the fact, that the presented vulnerabilities (and some more) cannot be fixed by just installing a clean 1.4.2_06, you need to adjust the policy file manually if you stick to Opera 7.54, which is the current product version. So we have an up2date program version with unfixed and exploitable vulns. These vulns are labeled 'uncritical' in some "expert" security databases (http://secunia.com/advisories/13257/) . This trivilization is a pretty bad starting point when you really want to "stay secure" :-( The bug is not fixed, may expose your user name and harddisk structure to some untrusted software and is labeled 'uncritical' ? To summarize, don't be misled by these unrealistic criticality levels, to protect your privacy remove opera, remove all old java versions, install java 1.4.2_06 (optionally) and use a decent browsers that implements the plugin standard interface (such as Firefox). This last recommendation is temporarily and may be obsolete when an official 7.60 version has been released. Hopefully before xmas ? Sincerely Marc Schönefeld - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (AIX) iD8DBQFBsgDMqCaQvrKNUNQRAn2nAJ9Q5RG4SiUIHQn7F73i+HxMGxaPAgCdH6Uc YyjlqzlYOKclJK6QaE2769A= =g6P3 -----END PGP SIGNATURE-----