Tails has reported that previous versions of its software has "Numerous Security Holes"
Numerous security holes in Tails 0.10.2 Posted dim. 22 avril 2012 00:00:00 CEST .... All the way back to
Numerous security holes in T(A)ILS 0.5 Posted dim. 17 oct. 2010 11:12:13 CEST
It stands to reason that before long there will be a message about which ever version you are currently using
Now that I know the software I am using contains inevitable "numerous security holes", can someone please explain how this effects security online?
Can an adversary of power simply find the vulnerabilities before Debian and exploit them on mass, resulting in TAILS being an open book for such as government and local police force ?
Can a vulnerability be selected from a previous release and explain how TAILS users could have been effected while they were (previously) using the software (worst case scenerio)
yes it's more than possible that hackers use exploits before they are discovered and patched upstream (by debian / mozilla etc.). Such an exploit can be referred to as zero day I believe as there is no current patch and everyone is vulnerable.
some serious exploits have gone for years unpatched - I think that there was a long standing issue discovered with debian or ubuntu (or both?) last year but I may be wrong.
hackers will sometimes design and trade exploits. I expect that governments also develop exploits as part of their cyber security arm (eg. stuxnet) so it's highly likely that there are many unknown exploits in the wild.
I think that open source software such as linux is safer from such issues though for the standard open source vs. proprietary reasons (eg. more eyes on the code). I might expect that a company selling proprietary software may be less forth coming with security vunerablities due to their commercial interests. Also, less people use linux making the dividends potentially smaller when compared to windows. Finally there is some serious enterprise that relies on linux for servers and the like which I'm sure adds some weight to the counter effort.
As you note, it is likely that a new vulnerability might be uncovered before the next large Tails release. IN my experience, Tails dev's are quick to give the warning and usually follow with a point release a couple of days later. This is pretty good as far as I am concerned - if someone needs anonymity for life or death reasons then at least they are informed and can avoid making any mistakes until the patch is published.
Regarding your last question, I do not feel like doing that research for you, but I will give a hint. Any mention of executing arbritary code refers to potentially running nasty code that could range from having your computer completely owned to having your website login details stolen. If you want peace of mind, I suggest you take a look for yourself.
To reduce risks you can disable scripts globally via the noscript button everytime you run the browser. Also, unless you have legitimate reason to expect a targetted attack against you or you have a habbit of visiting particulary dodgy websites then you should be fine anyway - Unless you get hit by a very specific trojan, Tail's amnesic properties should also provide some defence against zero day exploits (at least once you power down after being infected).
That said anything's possible and I'm no expert so I would appreciate if anyone else can correct me or chime in with more info.
Every system can / will be broken if enough resources are used. Tails is no exception.
The good thing about Tails is that security holes are being detected and fixed. All in the open. It gives me a good feeling. So far the evolution seems to favor Tails.
For many users it's the only communication tool they can use, the "least worse" option.
And no, snail mail secret communication is just as vulnerable, see for example the Queen Mary Of Scot's drama.