Monthly Archives: March 2017

Patches and updates, Vivaldi

Vivaldi 1.8

Leave a comment

The latest version of Vivaldi sports a reworked browsing history, and better control over audio, as well as several bug fixes. The release announcement lists all the changes. None of the changes appear to be related to security.

Vivaldi 1.8’s new history interface is a real improvement over what’s available in other browsers. Anyone who spends a lot of time reviewing their browsing history will appreciate the new calendar view.

Despite the improvements, I’d rather the Vivaldi development team spend their time fixing issues with the user interface. The sidebar bookmark editor is still weirdly difficult to use, and it’s also now apparently impossible to remove. There are still inconsistencies in the way links and bookmarks are handled, and the browser still lacks options that would allow complete control over whether links and bookmarks open in new tabs.

Update 2017Apr05: the full version number is 1.8.770.50.

Security, Things that are bad, Tools

It’s probably a good idea to stop using LastPass right now

Leave a comment

Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.

I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.

There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.

Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.

LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.

Firefox, Mozilla, Patches and updates

Firefox 52.0.2

Leave a comment

There’s another new Firefox release: 52.0.2. The new version fixes a few minor bugs, none related to security.

Firefox should update itself automatically to the new version, but there’s no particular urgency about this update, unless you’re affected by one of the bugs it fixes. See the release notes for details.

As usual, there was no announcement from Mozilla about Firefox 52.0.2. I learned about this one when Firefox offered to update itself.

Microsoft, Patches and updates, Things that are bad, Windows 10

Windows 10 cumulative updates hopelessly botched

Leave a comment

Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every morning, despite not having logged out the day before, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.

Searching online, I immediately found other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.

One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. (Note: this script was created and submitted by a non-Microsoft contributor, not by Microsoft.) Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install, and now we’re back in our daily loop.

I considered contacting Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.

I really don’t want Microsoft to be in a position to make my life miserable, especially now that they can do that remotely, without my explicit consent, and usually without my knowledge. At a time when Microsoft should be showing us just how much they’ve learned about managing Windows updates, they seem to be getting worse.

I sympathize with anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.

Update 2017Apr30: I decided to call Microsoft after all. I figured it was only fair to give them one last chance. The call was relatively painless; I was only on hold for a few minutes. The tier one support person I spoke with identified himself as such and was happy to escalate my problem to the next support tier once it became clear he couldn’t help. We arranged a callback from tier two support, which happened yesterday. Both support people I spoke with started by asking if they could start a remote session to the affected computer, which I declined in both cases. I understand being able to control a computer remotely makes support much easier, but I’m just not comfortable with the idea. The tier two guy confirmed that Microsoft knows about this problem and is working on it. He also confirmed that lots of people are reporting the same problem. Unfortunately, the only fix he could provide was to hide the troublesome update, so that it stops trying to install every day. The ability to hide updates exists in the classic Windows Update, but that feature was removed from Windows 10, so a special download was required. The Microsoft support article “How to temporarily prevent a driver update from reinstalling in Windows 10” includes a link to a tool called the Show or hide updates troubleshooter package. I downloaded and ran the tool, and it listed a few pending updates, including the most recent failing cumulative update. I hid that update, and so far so good: the computer no longer tries to install the update daily. According to the tier two support guy, when Microsoft finds a fix, they’ll include it with a subsequent cumulative update, and all will be well with the world. But in the meantime, my Windows 10 PC isn’t getting security updates. So it’s not much of a solution. Linux, here we come.

Microsoft, Vista

Windows Vista to be put out of its misery on April 11

Leave a comment

I’m sure there are a few people out there still using Vista. It may even have a few fans, and maybe they’re sad about Vista’s impending trip to the back of the woodshed. But they’re crazy: Vista was a terrible O/S.

CERT’s announcement of Vista’s coming demise.

After April 11, Vista will no longer receive any updates from Microsoft, including security updates. Beyond that point, no Vista computer should be allowed to connect to the Internet.

Firefox, Mozilla, Patches and updates, Security

Firefox 52.0.1

Leave a comment

A single security fix is apparently the sole reason Mozilla released Firefox 52.0.1 on March 17. There was no announcement from Mozilla, but as usual, CERT picked up the slack with their own announcement. The release notes for 52.0.1 point to a related security advisory.

Firefox will offer to update itself over the next few days, but you can usually trigger an update by navigating to its About dialog (hamburger menu icon > question mark icon > About Firefox).

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Shockwave, Silverlight, Windows

Patch Tuesday updates from Microsoft and Adobe

1 Comment

It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.

Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.

A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.

Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash 25.0.0.127 includes fixes for seven vulnerabilities in earlier versions, while Shockwave 12.2.8.198 resolves a single security issue in versions 12.2.7.197 and earlier.

Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.

If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.

Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.