You and just about everyone else, it seems, are spending more and more time on Facebook and Twitter, updating statuses and checking friends' tweets. That's all well and good, of course, but the amount of personal information that all of you share in real time, and the level of trust implicit with the social networking sites, do pose particular security and privacy problems.
A recent study from Sophos found that Facebook users reveal a lot of personal information to new friends, including ones they really don't even know or have never met. Using fake profiles, Sophos sent out friend requests to 100 random Facebook users, and more than 40 percent blindly accepted, giving the company access to birth dates, e-mail addresses, phone number and addresses--private information strangers shouldn't have.
The openness of Twitter--anyone can follow anyone else, and posts are indexed in search engines--makes it a nirvana for spammers. Kaspersky says there are nearly 500,000 new unique URLs that appear in Twitter posts daily, and of those, anywhere between 100 and 1,000 are malware attacks.
Here's a look at some of the specific threats users of the sites face and what they can do about it.
A rogue app that appeared early in the year sent notifications to Facebook users reporting they were violating terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users.
(Credit: Trend Micro)Problems: Malware, account hijacking, phishing, and social engineering
The biggest malware risk is Koobface, (an anagram of Facebook), which is a worm that targets social networking sites and affects Windows-based computers. Once a computer is infected, it hijacks the Facebook account and sends messages to other friends of the victim, enticing them to click on a link. The link redirects to a Web site where they are prompted to download software ostensibly to watch a video. However, there is no video; only malware that infects the system, blocks access to security sites, and can be used to steal sensitive information from the computer, such as credit card numbers. Infected machines can then be used to spread the worm to others on Facebook, send spam and distribute fake antivirus alerts, said Rik Ferguson, a security researcher at Trend Micro. Koobface now can automatically create new profiles using infected machines, he said.
Facebook accounts can be hijacked in several ways. A brute-force attack can be used to guess passwords. Users can fall for phishing attacks by clicking on links in messages or e-mails purportedly coming from friends that redirect to a fake Facebook log-in page. Or malware such as Koobface can steal passwords.
Social engineering is a huge problem for social networks because the trust that users have for messages and posts from friends can be easily exploited by scammers. Hijacked accounts are used to send everything from spam touting weight loss plans to links that install malware and steal passwords to fake emergency messages saying a friend is stranded in another country and needs someone to send money. Scammers are also sending e-mails that look like they come from Facebook and include an attachment that contains a Trojan.
Solutions: Use antivirus and anti-malware software and keep it up-to-date. Install security updates for operating system and other software. Use software like AVG Linkscanner or McAfee Site Adviser to protect against phishing and malware attacks. Become a fan of the Facebook Security page, which has posts related to all sorts of security issues, tips, resources and other information. If you think you've been infected with Koobface or other malware you should reset your password and notify friends who may have been affected.
Use an up-to-date browser that features an antiphishing black list, such as Firefox 3.0.10 or Internet Explorer 8. Be aware of where you enter your password. Check to see that you are logging in from a legitimate Facebook page with the Facebook.com domain. Be wary of unusual stories or offers that are too good to be true. Verify information with sources directly. Be cautious of any message, post or link that looks suspicious, requires an additional log-in or asks you to download or upgrade software. If a link seems odd or lacks context, don't click on it. Don't click on links or open attachments in suspicious e-mails. You can add a security question from the "Account Settings" page if you would like an additional layer of protection.
Problem: Rogue applications
Facebook doesn't vet every app that appears on the site, which means there is a risk that some apps will have bugs in them or will violate Facebook's privacy policies. Facebook has proven diligent in removing rogue and problem apps quickly when it is notified, but unlike iPhone apps, pretty much anyone can write a Facebook app. "Because the code is not always of professional standard or hosted or audited by Facebook, we've seen innocent apps compromised externally and used to deliver malware, such as fake antivirus," Ferguson said. One rogue app that appeared early in the year sent notifications to Facebook users reporting them in violation of terms of service and offering a link that lead to an application called "facebook -- closing down!" which then spammed all the friends of affected users, according to Trend Micro.
Solution: See solutions above, and be cautious about adding applications. Research the developers and perform Web searches to see if anyone has complained about the app. And ask yourself, what value does the app provide? Do I really need to play zombie?
Problem: Privacy leaks due to user error
Because people control who they are friends with on Facebook it is easy for users to have a false sense of security about the privacy of their data and activities on the site. Social engineering attacks, lax security practices by users like using weak passwords and design or implementation problems with the site itself can undermine the privacy protections users rely on. Users who fall for phishing scams and get their accounts hijacked have everything in their account exposed to strangers who can then use the different types of data for identity fraud or to target the victim's friends with social engineering attacks.
Solution: See solutions above. Also, use unique logins and passwords for each Web site you access. Use strong passwords, change them often and don't share them with anyone.
These instructions explain how to keep most people from viewing your friends list on Facebook.
(Credit: CNET)Problem: Privacy leaks due to design or implementation issues
Privacy advocates contend that Facebook's lenient apps approval process, privacy policies and confusing privacy settings put users at risk. Two weeks ago, Facebook asked users to configure their privacy settings. The options were confusing and many people were inclined to just keep the default settings, which are set to make the data visible to the Web rather than opting to use the old settings established by the user. Screenshots and descriptions are detailed on this photo gallery.
Many people have complained that it is difficult to figure out how to change the privacy settings, that they are not intuitive and that there doesn't seem to be one central place for that. And using Facebook Connect with outside apps, like the iPhone app Foursquare, can expose more information than a user expects to share. The new privacy changes at Facebook have prompted the Electronic Privacy Information Center to ask the Federal Trade Commission to investigate.
Facebook encourages people to share their full names, date of birth, home town and other information, all pieces of information that are commonly used in identity fraud. Scammers on underground sites even refer to Facebook as a "free date-of-birth look up service," according to Ferguson. People don't realize that their profile information can be accessed by total strangers who happen to be in the same groups or networks unless they specifically change the settings. People who don't trust random apps--which in general have access to profile information even if it isn't necessary to the function of the app--don't realize that the apps their friends are using also have access to their data. "Friends apps can access most of your profile, interests and groups. There is no way to prevent them from accessing your name, profile, photo, town and gender," said Joseph Bonneau, a PhD candidate in security at the University of Cambridge. In response to user feedback, Facebook made a change that allows users to hide their friend lists from everyone but their friends, a Facebook spokesman said.
Solution: CNET has a tutorial on how to hide your Facebook friends list by clicking on the pencil in the friends box on your profile. Detailed instructions and tips on dealing with Facebook privacy settings are available on the DotRights.org site and on the All Facebook blog. Facebook also has a blog post about the privacy changes.
Problem: Privacy leaks related to marketing
The relationship between the apps and advertisers can also cause problems. Adding an app allows the app to show ads inside the Facebook domain, and that can leak a user's profile information to the advertiser, said Peter Eckersley, a staff technologist at the Electronic Frontier Foundation. Meanwhile, cookies and other browsing tracking technology combined with data from social networks can be used by marketers to identify users for targeted advertising and other purposes, Eckersley said, providing details in a blog post on different ways data can be leaked from social networks to third-party tracking firms. Once marketers know a specific person's user name, they can use that identifier in the URL to get to a user's public profile page, according to Eckersley. "They can create a social graph of your date of birth, city, employment, relationship status, all uniquely codified in a way that can be automatically sucked into a database," he said.
Solution: Pick a good cookie policy for the browser, such as manually approving all cookies or only keeping cookies until the browser is closed. Disable Flash cookies. Use Firefox extensions such as RequestPolicy and NoScript to control when third-party sites can include content or run code in the browser page. Use the Targeted Advertising Cookie Opt-Out plugin or AdBlock Plus to block ads. To hide your IP address and other browser characteristics, use Tor via Torbutton.
Problem: Information used to suppress dissent and target political activists
As with e-mail, blog postings and other public expressions of dissent, Facebook and Twitter have been used by governments to target protesters. The Wall Street Journal reported earlier this month that family members of Iranian Americans had been arrested or questioned because of anti-Iranian government posts on Facebook by members outside the country. In other instances, Iranians living abroad were forced to log into their Facebook accounts or reveal passwords to government officials as they arrived at the Tehran airport and some even had their passports confiscated because of their political posts. In the U.S., the EFF says, officials have taken actions against U.S. citizens based on information discovered on their social networks; the group has sued the CIA and other agencies for allegedly refusing to release information about how they are using such sites in surveillance and investigations.
"Basically, every time you post something to Facebook you should assume that the whole world will know what you've posted, your family, employer, the government, people you don't trust," Eckersley said.
Solution: Think carefully about what information you want to share about yourself and consider only posting information you would want to let the general public see.
Twitter has many of the same malware, phishing, hijacking and social engineering issues that Facebook has, and the solutions for those problems would be the same. Because users don't provide much personal information to Twitter, and can even create accounts using all fake information, and because anyone can follow anyone else, there aren't the same issues with privacy, either. But that makes life easy for spammers.
Security does seem to be a worrisome thing with Twitter. The site has had several serious problems from employee accounts getting compromised. In January, someone hacked into the Twitter internal network -- possibly by guessing the password -- and gained access to the Twitter accounts of President Obama, CNN anchor Rick Sanchez, and 31 other high-profile Twitterers. In May, someone broke into Twitter's network and gained access to 10 accounts, which appeared to include Britney Spears and Ashton Kutcher. In that breach, a hacker was able to gain access to a Twitter employee's Yahoo account through the password recovery system and from there get information from other sites, including access to the employee's Twitter account. And last week, the legitimate account of a Twitter employee was used to hijack the site and redirect visitors to an external page displaying a banner for the "Iranian Cyber Army."
Meanwhile, Twitter was crippled (and Facebook and other sites also affected) by a rare politically motivated denial-of-service attack targeting one user in August. However, that incident reflects more on Twitter's ability to keep the site up in the face of an attack and accessibility than it does about security risks to users.
Twitter users are susceptible to getting their accounts hijacked, and the site has been targeted by clickjacking pranks. In these social engineering attacks, users were encouraged to click on links that distributed the original tweet to all of the Twitter user's followers.
Users with large numbers of followers have an added responsibility to be careful, particularly when setting accounts to automatically post items from news feeds. A malicious post on an unmoderated news feed that venture capitalist Guy Kawasaki was re-tweeting distributed a Trojan to more than 139,000 followers in June.
Kaspersky offers a Krab Krawler tool that analyzes tweets as they get posted on Twitter and blocks any malware associated with them. Trend Micro has technology that monitors Twitter posts for malicious URLs, as well as looks for attack patterns in the posts, such as use of popular terms to indirectly lead people to malicious links. And Finjan offers a free browser plug-in dubbed SecureTweets that warns users when they encounter a malicious URL in Twitter, as well as Blogger, Gmail, Google and a host of other popular sites. To keep up with security issues on Twitter follow Twitter's Spam Watch account.
Social networks are also susceptible to other serious security problems that can hit any type of Web site. For instance, last week passwords of 32 million stored in plain text on the RockYou site were exposed by a SQL injection attack, according to security firm Imperva. Because the passwords are used on other affiliate sites to the social networking application maker, the breach jeopardized other accounts, like Gmail, Hotmail, and Yahoo.
Adobe warned of reports of an attack exploiting a hole in Reader and Acrobat on Monday.
"This afternoon, Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild," the company said in an advisory on its Security Incident Response Team blog. "We are currently investigating this issue and assessing the risk to our customers. We will provide an update as soon as we have more information."
Three different security vendor partners reported the alleged exploit to the company on Monday afternoon, said Adobe spokeswoman Wiebke Lips. She said she could not provide more details.
Last week, Adobe released a critical update affecting Flash Player and Adobe AIR.
Meanwhile, some Macintosh users were reporting on the Adobe Forums site that they were having problems installing an update from October that resolved a critical vulnerability in Adobe Reader and Acrobat 9.1.3 that had reportedly been exploited in the wild.
Updated 6:01 p.m. PST with Mac user problems installing update.
PC Tools' Internet Security suite for 2010 gets some things right, and frustratingly drops the ball on others. It's hard not to like the feature set, which is robust, and the recent efficacy badge from Virus Bulletin. However, some of the problems in the suite are glaring and will potentially scare aware users who might otherwise find it a good security tool.
The default landing page should appeal to those who like quick glances to ensure everything is running smoothly. Green checkmarks or red Xes make it easy to see if you're at risk. Drilling deeper down to the settings pages could be better, though. Too often, the plain text felt squished by the chunks of white space on the right, and made it unnecessarily hard to parse logs and fine-tuning controls like the firewall or advanced scan settings.
The performance benchmarks weren't horrible, but they didn't impress, either. Falling somewhere in the middle of its competitors, and notably slow especially on computer start-up times, the suite could be much more nimble. Also annoying is that when held up against most of its competitors, the trial version is noticeably hamstrung. You only get 15 days to make a decision with the suite, and it won't remove any threats it detects.
What PC Tools fans will like is that although two earlier tests by Virus Bulletin this year gave PC Tools Internet Security 2009 failing marks, the first test of the new version passed the test on Windows 7. So for those with new computers, PC Tools' slightly lower price point of $50 for three licenses for its premium product may stand out as a good deal. Read the full review at CNET Reviews.
You wouldn't necessarily expect it, but Avast and Google Chrome might be the next peanut butter-and-jelly combo in the software world. Google's nascent browser has paired with one of the most popular free security programs in the world so that when users run the Avast installer on a computer that has neither Chrome nor Avast, they'll be offered a chance to install Chrome simultaneously. This is the first such bundling for Avast in its 21-year existence.
The Chrome installation window in the Avast installer is cleverly polite.
(Credit: Screenshot by Seth Rosenblatt/CNET)The Chrome option in the Avast installer does two things differently from the more familiar opt-out user experience that many programs provide in an installer in exchange for financial sponsorship. For one thing, the Chrome window only turns up if you don't already have it installed, but more importantly, it forces users to actively choose installation. Neither the "yes, install" nor the "no, don't install" radio buttons are checked by default. Of course, users are forced to check off "no" if they don't want it, but this should dramatically cut down on the incidence of accidental installations that tend to plague otherwise-similar piggybacking installs.
The Avast/Chrome combo may strike some as an odd couple, or at least more beneficial for Avast than for Chrome, but keep in mind that Avast has more than double the users that Chrome does. Google's Vice President of Product Management Sundar Pichai said Chrome had more than 40 million users at the Chrome OS press conference at the end of October, and the end of November saw NetApplications peg Chrome at 3.93 percent of the browser market, a 0.35 percentage point increase. Meanwhile, on Avast's Web site, the Czech Republic-based security vendor is preparing to fly its 100 millionth user to Prague on an expenses-paid trip.
A Google spokesman indicated that other deals might be in the works. "Users' response to Google Chrome has been outstanding, and we're continuing to explore ways to make Chrome accessible to even more people. This could potentially include distribution via a number of channels, such as the distribution we are currently doing with Avast."
CNET News staff writer Stephen Shankland contributed to this report.
An Avast virus definition file update late Wednesday accidentally marked hundreds of legitimate files as threats. The Czech Republic-based publisher Alwil responded quickly, issuing a fix less than six hours later, but some users are still dealing with the aftermath.
Restoring files improperly flagged as threats worked fine on my work computer, but not at home.
(Credit: Screenshot by Seth Rosenblatt/CNET)Going through Avast's forums, the Avast-written guide for rescuing files falsely marked as threats should be quite simple. Force an Avast update, then from the main interface go to Menu, then Virus Chest. Right-click on the file in the chest you want to resuscitate, choose Scan to double-check that it's not a threat, then right-click on it again and choose Restore. Avast cautions that if that fails, you can choose Extract to put the file back where it came from.
For some instances of the Avast 5 beta and Avast 4.8, this doesn't work. The best solution I've found is the most annoying: run the installation file again. This certainly takes longer, but right now I've been unable to find any other solution that can be applied across the board. The one saving grace about reinstalling is that, at least for the files on my home computer that were affected, I didn't need to reconfigure any of the settings. The KMPlayer, IOBit Smart Defrag, and Find and Run Robot all retained their previous DLLs and other settings.
Keep in mind that this isn't the first over-eager definition file update. Two of the more recent ones include an incident from July that saw an update from Computer Associates flag a Windows XP system file as a virus, and last year AVG falsely identified a file from security provider ZoneAlarm as a virus.
If you're continuing to have problems from the Avast update, let us know in the comments below.
Microsoft said on Thursday that it will offer six updates for 12 vulnerabilities next week including a critical hole in Internet Explorer that affects Windows 7 and other current versions of the operating system for which exploit code has been released.
Late last month, Microsoft said it was investigating an IE vulnerability after someone released proof-of-concept code affecting IE 6 and IE 7 that could be used to take control of computers.
Microsoft described the problem in an advisory issued November 23: "The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."
Of the six updates Microsoft will release on Patch Tuesday, three of them are critical, according to a Microsoft security bulletin advance notification.
Software affected includes Windows 2000, Windows XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, and Office 2003.
(Credit:
Avast)
Czech Republic-based Avast issued an update late on Wednesday to its antivirus software that mistakenly flagged hundreds of innocent files as a Trojan. It fixed the situation five and a half hours later.
Falsely labeled as malware were programs from Adobe, Realtek, sound card drivers, and various media players, among others, according to a blog post on the Avast Support Center.
The errant update had been issued around 12:15 a.m. GMT. A new update was issued at 5:50 a.m. GMT that corrected the problem. Customers who did not use their computers between that time will most likely not be impacted, the company said.
The software was identifying the good files as the Win32:Delf-MZG Trojan, according to Avast.
Avast, based in Prague, did not respond to an e-mail late on Wednesday seeking comment.
False positives happen in the industry. In July, Computer Associates' antivirus software was falsely tagging a Windows XP system file as a virus, and last year AVG falsely identified a file from security provider ZoneAlarm as a virus.
Black Friday is almost upon us, and the steep hardware discounts mean new computers for many. To help you during these tough economic times, we've refreshed the Download.com Security Starter Kit for 2010. Although nothing can replace common-sense browsing, this collection of freeware security tools will help you protect new machines and old from pernicious threats, large and small. Longtime readers will notice that in addition to changing up our recommended antivirus program, we've fleshed out the Web browsing safety category, and made other changes as well. If you're looking for more than freeware security programs, check out the CNET Download.com Windows Starter Kit for 2010.
In this year's version, you can expect to see Avast chosen ahead of AntiVir as our most favored antivirus app. Despite its odd interface, Avast scored higher than any other freeware antivirus in a third-party test, and it doesn't skimp on protection, either, with e-mail, network, rootkit, and behavioral guards along with its top-rated virus protections.
We're still recommending Malwarebytes Anti-Malware for spyware removal, but we've also added PC Tools' standalone ThreatFire as an excellent way to strengthen behavioral detections and prevent spyware from infecting you in the first place. Recent improvements to the program have made it incredibly light on resources, and in our days of empirical testing we didn't notice it slowing down our computers at all.
New this year is the expanded in-browser security category. We've recommended five browsing tools that are available as add-ons, and we took care to make sure that they applied to as many of the major browsers as possible. However, Firefox's deep add-on toolbox makes it naturally the browser with the most diverse collection of security tools, so expect to see it heavily, although not exclusively, represented.
PC Tools' ThreatFire.
(Credit: Screenshot by Seth Rosenblatt/CNET)Firewalls used to be the forefront of security, but now they're just another tool you should have. Microsoft has made the native Windows 7 firewall impressively useful, but we realize that not everybody has Windows 7, and even those who do might want an alternative. This year, Online Armor joins Comodo on the list.
In Encryption, TrueCrypt remains the gold standard. The Thunderbird extension Enigmail joins it as a must-have tool for keeping your private e-mails as you intended them--away from prying eyes. In Parental Control, we've added OnlineFamily.Norton. It's not strictly desktop based, although to use it you must use its desktop hook, called Norton Safety Minder. Symantec has created what looks to be a unique and free approach that includes an emphasis on parental education and attempts to foster parent-child communication about how to use the Internet safely. We're of the opinion that anything that helps parents realize that browsing the Internet is far more than a TV with options is a good thing.
If you disagree with our security and safety choices for the Security Starter Kit, please let us know in the comments below.
With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.
In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.
(Credit: Google)Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.
"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.
Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.
Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.
For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.
Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.
With Chrome, "applications can't just download any binary and run it," Sengupta said.
Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)
"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."
If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.
Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.
All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.
Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.
In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.
Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.
There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.
Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.
Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.
Updated November 24to clarify that Bluetooth is not being considered for authentication.
Amid promises to "reinvent the Web," the browser Opera debuted a new beta feature earlier this year called Unite that has been deemed stable enough to offer to all users. Opera's own hype aside, the Unite service provides people with the capability to serve files, host and stream music, and send messages to each other from inside the browser itself--a feature that is unique among the big five browsers. Opera 10.10 is available for Windows, Mac, and Linux.
Much like Opera's built-in e-mail client, Unite is basically a cloud-based, customizable server that includes multiple services, but its open API allows you to write and share your own services. The initial offering includes the default Unite Home, which is the Opera Unite Web page that is given to each user, a media player for creating your own publicly available music stream, the "fridge" for a Facebook-style message wall, an instant messenger with a public/private toggle, a photo sharing app, and file serving and Web hosting capabilities.
Besides including Unite, Opera 10.10 also includes an array of bug fixes, mostly aimed at smoothing out the Unite experience, tweaking mail, news, and chat features, and fixing three security problems. Two are relatively minor, one concerning an error message leak and the other a buffer overflow. The third error Opera is refusing to disclose at this time, but stated that it was discovered by the Google Security Team's Chris Evans. The full changelog for Opera 10.10 is available.
As I've tested Unite over the past few months, it's generally been a stable experience, with a few hiccups to be expected by the beta. However, it hasn't exactly set the browsing world on fire, either, and its target audience is still hard to define. Do you have an opinion on Unite? Let me know in the comments.
