If you’re a Firefox user, you might want to think about using a different browser for the next day or so. Researchers have discovered a critical vulnerability that has yet to be patched. Mozilla is working on a fix but there’s no word on when it will be available.
Update 2016Nov30: Mozilla just released Firefox 50.0.2, which includes a fix for this vulnerability. Mozilla posted about this as well.
There’s a critical security vulnerability in Firefox 49 and 50, and Mozilla just released Firefox 50.0.1 to address it. Which is great, except for one thing: the total lack of anything resembling an announcement.
Yes, Firefox can be configured to update itself or alert you when an update is available, but that setting can also be disabled completely. Worse, it can take days for Firefox’s internal update checker to detect that there’s a new version.
I discovered the new version by way of a post on the US-CERT site.
Version 41.0.2353.69 of Opera upgrades the browser’s Chromium engine, and fixes one ‘nasty’ crashing problem involving dragged bookmarks (change log).
A new version of alternative web browser Vivaldi fixes a load of bugs, improves reader mode, and adds the ability to control home lighting.
Wait, what? Home lighting control? That’s right, Vivaldi 1.5 sports a feature that’s unlikely to have been on anyone’s wish list for their web browser. From the announcement: “Selecting which lights Vivaldi should control, the browser will synchronize your physical surroundings with the color of the web. This opens the door to a thrilling direction.” Apparently the Vivaldi developers are oblivious to the many serious security issues related to IoT devices, including the Philips Hue light bulbs on which this feature depends.
More usefully, Vivaldi 1.5 makes big improvements to tab and bookmark functionality, which in previous versions were at least partially broken in various, random ways. Version 1.5 seems to have addressed all of the remaining tab and bookmark issues.
Vivaldi 1.5 also includes changes to its update mechanism, and will now only download changes (not the entire browser) when updating itself. Presumably the Vivaldi developers noticed Microsoft was doing this for Windows 10 and decided to follow along. It’s a welcome change, but not exactly groundbreaking.
The official announcement post for Vivaldi 1.5 includes a list of all the changes. None of them seem to be related to security.
SHA-1 (Secure Hash Algorithm 1) is still used by some web sites to encrypt their traffic. Starting in early 2017, most web browsers will start displaying scary-looking warnings when anyone tries to visit sites using SHA-1.
Like this one in Edge:
(From a post on the Microsoft Edge blog.)
Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are protected with a SHA-1 certificate from loading and will display an invalid certificate warning. Though we strongly discourage it, users will have the option to ignore the error and continue to the website.
From a post on the Mozilla security blog.
In early 2017, Firefox will show an overridable “Untrusted Connection” error whenever a SHA-1 certificate is encountered that chains up to a root certificate included in Mozilla’s CA Certificate Program. SHA-1 certificates that chain up to a manually-imported root certificate, as specified by the user, will continue to be supported by default; this will continue allowing certain enterprise root use cases, though we strongly encourage everyone to migrate away from SHA-1 as quickly as possible.
From a post on the Google security blog.
We are planning to remove support for SHA-1 certificates in Chrome 56, which will be released to the stable channel around the end of January 2017. The removal will follow the Chrome release process, moving from Dev to Beta to Stable; there won’t be a date-based change in behaviour.
Firefox users are advised to make sure it’s up to date: version 50 — released yesterday — addresses at least twenty-seven security vulnerabilities. To find out what version you’re running, click the ‘hamburger’ menu icon at the top right, click the question mark icon, then click ‘About Firefox’.
Aside from the security fixes, there’s not much of interest in Firefox 50. The release notes provide additional information.
If you use Google search (and really, who doesn’t?), you’ve probably noticed the big warnings that appear when you try to click on some search results. That’s Google Safe Browsing (GSB), protecting you from a malicious web site.
GSB flags sites that fail to comply with Google’s Malware, Unwanted Software, Phishing, and Social Engineering Policies.
To get rid of the warning, the owner of a site flagged by GSB must remove objectionable content and resubmit the site for verification in Google Search Console. Until recently, this process could be repeated indefinitely.
To counter repeat offenders, Google has changed the way GSB works. If a web site repeatedly fails to comply with Google’s Safe Browsing policies, it will be flagged as such, and the warning users see will appear for at least 30 days.
In the announcement for this change, Google points out that the new repeat offender policy will not apply to sites that have been hacked (i.e. changed without the owner’s permission).
Starting in 2009, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) provided Windows users with an additional layer of security. It was designed to block specific, known types of vulnerabilities. EMET proved particularly useful for people running older versions of Windows, especially XP.
I’ve been recommending EMET since it was first available, and it’s still a useful addition to any Windows system, but I’ve also been running into an increasing number of EMET-related problems, and finally stopped using it on my main Windows 8.1 computer recently.
Microsoft originally intended to stop supporting the Enhanced Mitigation Experience Toolkit (EMET) in January 2017, but based on customer feedback, EMET’s demise will now take place on July 31, 2018.
In the recent EMET end-of-life announcement, Microsoft admits to EMET’s failings, and points out that much of the protection provided by EMET is now built into Windows 10. Of course, that doesn’t help those of us who are avoiding Windows 10 because of privacy and control issues.
Update 2016Nov22: According to CERT (a division of the Software Engineering Institute at Carnegie Mellon University), Microsoft’s claims for Windows 10 are not entirely accurate. While it’s fair to say that Windows 10 includes the system-wide protections provided by EMET, it does not provide per-application settings. In other words, Windows 10 security can be improved by also running EMET. This makes the retirement of EMET by Microsoft seem rather premature.
Chrome 54.0.2840.99 fixes about ten bugs, including four related to security. If you use Chrome, make sure it’s up to date: click the ‘three vertical dots’ menu button at the top right, then click Help > About to check. This will also trigger an update if it hasn’t happened already.
The full change log has additional details.
A new version of Opera fixes a few minor bugs and includes an upgrade to the Chromium browser engine. No new security fixes are included, so there’s no rush to install it.
boot13