Chrome 56.0.2924.76

Chrome version 56.0.2924.76 includes fixes for fifty-one security vulnerabilities. But wait, that’s not all. If you want to see what happens when your web browser loads a really big web page, navigate to the change log for Chrome 56.0.2924.76. It’s a behemoth, documenting over ten thousand separate changes.

One change in particular deserves mention: starting with this version, Chrome will show ‘Secure’ at the left end of the address bar if a site is encrypted. When Chrome navigates to a web page that isn’t encrypted, but does include a password prompt, it will show ‘Not Secure’ in the address bar.

Chrome seems to update itself reliably, soon after a new version is released. Still, given the number of security fixes in this release, it’s not a bad idea to check.

Opera 42.0.2393.351 and 42.0.2393.517

Opera 42.0.2393.351 fixes a handful of bugs, several related to the 64-bit version of the browser. See the change log for details.

Opera 42.0.2393.517 fixes four more issues, some of which first appeared in 42.0.2393.351. See the change log for details.

None of the changes in either new version seem to be related to security. Opera will usually update itself shortly after a new version becomes available.

Review: Heimdal Security Software

I’m always on the lookout for tools that simplify the task of keeping software up to date. I recently installed Heimdal Security Free on my Windows 8.1 PC, and took a close look at its software patching feature.

Note: the paid version of Heimdal Security includes network traffic-based malware detection. That feature appears in the free version, but it’s disabled.

The Good

The software basically does what it says. By default, it automatically checks for out of date software, and silently installs updates where needed. The software it checks includes the vulnerability-prone Flash and Java, as well as all the major browsers. It’s fast, relatively unobtrusive, and has a polished, professional user interface.

The patching system can be customized: you can tell it to only check for updates, but NOT install them automatically, and you can disable checking for anything in its software list, which currently includes forty-one items.

The Bad

  • If you disable the auto-update feature, there’s no obvious way to install new versions.
  • The ‘Recommended Software’ tab has Install buttons, which at first looks useful. But closer inspection reveals that this list only shows software that isn’t currently installed. In fact, it lists some software I’ve never even heard of, much less installed.
  • Heimdal detects software that is available in both 32- and 64-bit versions. But if you have the 32-bit version installed, the ‘Recommended Software’ tab will list the 64-bit version. And vice-versa. This is not useful.
  • There’s no obvious way to tell Heimdal to perform a re-scan. I eventually realized that disabling the feature and re-enabling it does that, but a ‘Scan’ button would be a real improvement.
  • The software list cuts off some important information: the software version number is often truncated, making definite confirmation of version changes difficult. And there’s no way to resize the column, or the dialog. Update: I discovered that the missing information can be revealed by hovering the mouse over a truncated field.
  • Heimdal shows some software as needing an update when in fact that software is up to date. For example, it continues to report an available update for 7-Zip 16.04: to version 16.04.0. It looks like Heimdal fails to match versions when there are extra zeros.
  • There’s no way to shut down Heimdal once it’s installed. There’s an icon in the notification area, but it doesn’t even have a right-click menu. Your only option is to uninstall Heimdal completely.
  • When Heimdal installs something from the ‘Recommended Software’ tab, it configures itself to automatically update that software. An option to override this behaviour would be helpful.

It’s possible that some of these issues would not present themselves if I configured Heimdal to install updates automatically, but I prefer to have more control over software installation.

Conclusion

Despite its flaws, Heimdal may prove useful to some users. But I can’t recommend it.

Update 2017JFeb01: Heimdal responded to my review, addressing my concerns:

For the moment, Heimdal does not have the option to install updates manually. We wanted to make software updates fast, secure and hassle-free for Heimdal users and adding a manual option would be the opposite of that.

My response: that’s just silly. Make it an option, but default to automatic. Most users would never even see the option. It wouldn’t make anything slower, or less secure, or increase hassle. And all the necessary functionality is already in place.

We called it “recommended software” because it not installed on the system. These are apps you can install with one click, should you want to do it. If not, they don’t impede you in any way.

My response: Understood, but it’s kind of misleading, especially since in some cases they are recommending 32 bit versions of software already installed in 64 bit form.

Indeed, this is something we will work on improving, so we can match software versions to the type of system they’re recommended for.

The scan button is in Heimdal’s home screen, when you hover over the big white button with the green checkmark. We will try to make this more obvious in future versions.

My response: on the Overview tab, there’s a big white icon that’s either a checkmark (if everything is up to date) or an exclamation mark (if it isn’t). Nothing appears when you hover the mouse over this icon, and there’s no indication that clicking it will do anything. But it does work, so it would be nice to have this properly labeled.

Making windows resizable is not something customary to security applications (it would create an unnecessary burden on the system), but we will try to rearrange the elements so that they provide a clearer view in future updates.

My response: Making windows resizable is in fact standard for all Windows applications, and those that don’t allow this are probably not following Windows development guidelines. Further, the notion that adding this functionality would somehow place a ‘burden on the system’ is simply absurd. But the indicated fixes will be welcome in the absence of resize-ability.

Heimdal shows some software as needing an update when in fact that software is up to date.

I think that our support team can help you with that. If you can, send them an email at support@heimdalsecurity.com and they’ll be right on it!

My response: Done. After some back and forth, Heimdal support reproduced one of the problems on their end (7-Zip version detection), and is working on a fix.

We will add a right-click menu in the coming versions. There is no option to shut down Heimdal, because security software usually does not have this feature. If it had it, malware could easily switch it off and infect the system.

My response: if malware is present on a computer, it can kill a process as easily as it can stop a program from its system menu. I want to be able to run the update feature on-demand, and there’s simply no way to do that sensibly unless the program can be closed.

Firefox 51 fixes 24 security issues

The latest version of Firefox addresses at least twenty-four security vulnerabilities and changes the way non-encrypted sites appear in the address bar.

As usual, there’s nothing like a proper announcement for Firefox 51. What we get from Mozilla instead is a blog post that discusses some new features in Firefox, and mentions the new version number almost accidentally in the third paragraph. Once again, CERT does a better job of announcing the new version than Mozilla.

Starting with version 51, Firefox will flag sites that are not secured with HTTPS if they prompt for user passwords. Secure sites will show a green lock at the left end of the address bar as before, but sites that are not secure will show a grey lock with a red line through it. Previously, non-encrypted sites showed no lock icon at all. The idea is to draw the user’s attention to the fact that they are browsing without the security of encryption, which is risky when sensitive information (passwords, credit card numbers) is entered by the user.