Chrome 55.0.2883.75

A new version of Chrome fixes at least thirty-six security issues in the browser. Aside from listing the vulnerabilities addressed, the release announcement says only that Chrome 55.0.2883.75 “contains a number of fixes and improvements”. You’ll have to read the change log to figure out what else is different. Sadly, the full change log is another one of those browser-killing monstrosities, with almost 10,000 changes listed. Don’t click that link if you have an older computer.

New, critical Firefox zero-day

If you’re a Firefox user, you might want to think about using a different browser for the next day or so. Researchers have discovered a critical vulnerability that has yet to be patched. Mozilla is working on a fix but there’s no word on when it will be available.

Ars Technica has more.

Update 2016Nov30: Mozilla just released Firefox 50.0.2, which includes a fix for this vulnerability. Mozilla posted about this as well.

Firefox 50.0.1 fixes one critical security issue

There’s a critical security vulnerability in Firefox 49 and 50, and Mozilla just released Firefox 50.0.1 to address it. Which is great, except for one thing: the total lack of anything resembling an announcement.

Yes, Firefox can be configured to update itself or alert you when an update is available, but that setting can also be disabled completely. Worse, it can take days for Firefox’s internal update checker to detect that there’s a new version.

I discovered the new version by way of a post on the US-CERT site.

Vivaldi 1.5

A new version of alternative web browser Vivaldi fixes a load of bugs, improves reader mode, and adds the ability to control home lighting.

Wait, what? Home lighting control? That’s right, Vivaldi 1.5 sports a feature that’s unlikely to have been on anyone’s wish list for their web browser. From the announcement: “Selecting which lights Vivaldi should control, the browser will synchronize your physical surroundings with the color of the web. This opens the door to a thrilling direction.” Apparently the Vivaldi developers are oblivious to the many serious security issues related to IoT devices, including the Philips Hue light bulbs on which this feature depends.

More usefully, Vivaldi 1.5 makes big improvements to tab and bookmark functionality, which in previous versions were at least partially broken in various, random ways. Version 1.5 seems to have addressed all of the remaining tab and bookmark issues.

Vivaldi 1.5 also includes changes to its update mechanism, and will now only download changes (not the entire browser) when updating itself. Presumably the Vivaldi developers noticed Microsoft was doing this for Windows 10 and decided to follow along. It’s a welcome change, but not exactly groundbreaking.

The official announcement post for Vivaldi 1.5 includes a list of all the changes. None of them seem to be related to security.

SHA-1 deprecation coming soon

SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.

Like this one in Edge:

After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption
After Feb 14, 2017, Microsoft Edge will show this warning when it detects SHA-1 encryption

SHA-1 deprecation announcements

Microsoft

(From a post on the Microsoft Edge blog.)

Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.

Mozilla

From a post on the Mozilla security blog.

In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.

Google

From a post on the Google security blog.

We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.

Firefox 50 fixes 27 security bugs

Firefox users are advised to make sure it’s up to date: version 50 — released yesterday — addresses at least twenty-seven security vulnerabilities. To find out what version you’re running, click the ‘hamburger’ menu icon at the top right, click the question mark icon, then click ‘About Firefox’.

Aside from the security fixes, there’s not much of interest in Firefox 50. The release notes provide additional information.

Google gets tougher on scammy web sites

If you use Google search (and really, who doesn’t?), you’ve probably noticed the big warnings that appear when you try to click on some search results. That’s Google Safe Browsing (GSB), protecting you from a malicious web site.

GSB flags sites that fail to comply with Google’s Malware, Unwanted Software, Phishing, and Social Engineering Policies.

To get rid of the warning, the owner of a site flagged by GSB must remove objectionable content and resubmit the site for verification in Google Search Console. Until recently, this process could be repeated indefinitely.

To counter repeat offenders, Google has changed the way GSB works. If a web site repeatedly fails to comply with Google’s Safe Browsing policies, it will be flagged as such, and the warning users see will appear for at least 30 days.

In the announcement for this change, Google points out that the new repeat offender policy will not apply to sites that have been hacked (i.e. changed without the owner’s permission).

Microsoft to abandon EMET slightly later than planned

Starting in 2009, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) provided Windows users with an additional layer of security. It was designed to block specific, known types of vulnerabilities. EMET proved particularly useful for people running older versions of Windows, especially XP.

I’ve been recommending EMET since it was first available, and it’s still a useful addition to any Windows system, but I’ve also been running into an increasing number of EMET-related problems, and finally stopped using it on my main Windows 8.1 computer recently.

Microsoft originally intended to stop supporting the Enhanced Mitigation Experience Toolkit (EMET) in January 2017, but based on customer feedback, EMET’s demise will now take place on July 31, 2018.

In the recent EMET end-of-life announcement, Microsoft admits to EMET’s failings, and points out that much of the protection provided by EMET is now built into Windows 10. Of course, that doesn’t help those of us who are avoiding Windows 10 because of privacy and control issues.

Update 2016Nov22: According to CERT (a division of the Software Engineering Institute at Carnegie Mellon University), Microsoft’s claims for Windows 10 are not entirely accurate. While it’s fair to say that Windows 10 includes the system-wide protections provided by EMET, it does not provide per-application settings. In other words, Windows 10 security can be improved by also running EMET. This makes the retirement of EMET by Microsoft seem rather premature.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.