Google’s efforts to make the web a safer place include the recent addition of a
Not Secure indicator in Chrome’s address bar for sites that are not using HTTPS encryption.
Up to this point, that indicator only appears when a web page includes boxes for entering passwords or credit card information. In the near future, Chrome will expand the conditions in which sites are flagged as
Not Secure. In October, Chrome 62 will start flagging as
Not Secure any unencrypted web page that includes any data entry boxes, and all unencrypted pages accessed while Chrome is in Incognito mode. Eventually, Chrome will flag all unencrypted pages as
If you use Chrome, you’ve probably noticed that it also flags encrypted sites as
Secure. This is misleading, since all it means is that the site is using HTTPS encryption. It doesn’t imply that the site is safe to use, only that it is using an encrypted connection. A site flagged as
Secure can still be dangerous to visit, for example if it contains malware. Wordfence’s Mark Maunder recently wrote about the danger of assuming Chrome’s
Secure flag means ‘safe’.
Vivaldi’s selection of search engine choices has a new member: Ecosia, which bills itself as “the search engine that plants trees with its ad revenue.” Sadly, it appears that Ecosia is very easy to manipulate, since searching for a nonsense word will show at least two ads trying to sell it to you.
Vivaldi 1.9 also fixes a few bugs, including several related to security. The release announcement provides additional details.
WordPress is the current king of Content Management Systems, but there are others, including Joomla. Web sites built on popular CMS software are enticing targets for malicious hackers, because the people who manage such sites often lack the skills to keep them secure. Keeping a CMS-based site secure mainly involves keeping the CMS software up to date.
Joomla 3.7 — released yesterday — includes over 700 improvements, eight of which are related to security. Several of the security vulnerabilities addressed affect versions of Joomla going back to 1.5 and 2.5.
Joomla 1.0 through 2.5 are no longer supported. If you’re running a site that uses those older versions of Joomla, you should upgrade to 3.7 as soon as possible, as the site is otherwise likely to be hacked.
If you run a Joomla 3.x site, you should update it to 3.7 as soon as possible. If your site currently runs Joomla 3.6.x, it’s a single click update, so there’s no excuse not to do it.
Opera’s developers were quick to respond to the recent discovery that many of the major web browsers (including Firefox and Chrome) allow site addresses to be obfuscated using special Unicode characters. Opera 44.0.2510.1449 now shows any Unicode characters in the address bar using the corresponding two digit hexadecimal code, rather than the character itself. The obfuscation technique was being used in phishing schemes.
Opera 44.0.2510.1449 also includes fixes for a few more minor issues. The change log has all the details.
A new maintenance release of the popular Content Management System (CMS) software WordPress includes fixes for forty-seven issues. None of the fixes are related to security, but since this is a minor update, most WordPress sites will automatically update themselves. The release notes for WordPress 4.7.4 list all the changes.
A major change to the internal workings of Firefox should result in faster web page rendering on most Windows computers. Unfortunately, that doesn’t include Windows XP: starting with version 53.0, Firefox no longer supports XP or Vista.
Firefox 53.0 also fixes at least twenty-nine security issues, so it’s a good idea to update it as soon as possible. Firefox can be rather sluggish about updating itself, but you can usually trigger an update by clicking the menu icon at the top right (three horizontal lines), then the little question mark icon, then
Also in the new release are some improvements to Firefox’s user interface, including two new ‘compact’ themes that free up some screen space. Site permission prompts are now somewhat easier to understand and more difficult to miss. Tab titles that are too long to fit in a tab now fade out at the end instead of being cut off and replaced by ellipses, which makes more of the truncated title visible.
The change log for Chrome 58.0.3029.81 is ten thousand items long, so you might want to think twice before clicking that link. It’s probably safe to say that there are no new features or major changes in the new version, since nothing of the kind is mentioned in the release announcement. This is an important update, though. That’s because it includes fixes for twenty-nine security flaws.
Chrome seems to update itself on most computers within a day or so of a new release, but you can usually trigger an update by opening the browser’s menu (the three-vertical-dots icon at the top right) and navigating to
About Google Chrome.
Earlier this week Oracle posted its quarterly Critical Patch Advisory for April 2017. Most of the Oracle software affected by these updates is likely only of interest to system administrators and developers, but buried in the advisory is a list of eight security vulnerabilities in Java 8 Update 121. Although it’s not mentioned in the advisory, those Java vulnerabilities are addressed in a new version of Java: 8 Update 131.
Anyone who uses a web browser with a Java plugin enabled should install Java 8 Update 131 as soon as possible. These days, Firefox, Chrome, and other Chrome-similar browsers like Vivaldi don’t support Java at all, so that leaves Internet Explorer. You can check whether Java is enabled in Internet Explorer by pointing IE to the official Java version test page.
Even if you don’t use a browser with Java enabled, you may have a version of Java installed on your computer, in which case you should consider updating it. You can find out whether Java is installed by looking for the Java applet in the Windows Control Panel. If it’s there, Java is installed; go to the
Update tab and click
Update now to install the new version.
Oracle sued by the FTC
If you visit the main Java page, you may notice a large all-caps message at the very top of the page: IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE. The message links to a page that discusses an ongoing lawsuit:
The Federal Trade Commission, the nation’s consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer.
This is a good reminder that Java installers tend to leave old versions and related junk on Windows computers, and that you should always check for and remove old versions of Java after you install a new version. Visit the Java uninstall page and the Java uninstall help page to get started.
Microsoft’s relentless push to get everyone using Windows 10 is creating problems for the software giant. At least one class action lawsuit is underway in Illinois, where annoyed users claim that Microsoft owes more than $5 million in damages related to Windows 10 upgrades, both wanted and unwanted.
Meanwhile, Windows is no longer the most popular way to access the Internet. As recently as 2012, up to 90% of all Internet access was via Windows, but that number has been dropping steadily in recent years, and it’s now at an all-time low. For the first time ever, another operating system is in first place: the mobile O/S Android. Microsoft has bet heavily on Windows 10 and its universal touch interface, alienating traditional desktop enthusiasts and power users in the process. But if consumers are increasingly choosing Android over Windows 10 for their mobile devices, where does that leave Windows?
Microsoft’s efforts to herd users towards
their advertising platform Windows 10 includes discontinuing support for newer processors on older versions of Windows. While it’s clearly Microsoft’s prerogative to decide which hardware they support, there’s no obvious technical reason for this limitation. In light of Microsoft’s historical support for older systems, this is particularly annoying news for anyone expecting to be able to use Windows 7 or 8.1 with new hardware.
The April 12 publication of a set of exploits by hacking group The Shadow Brokers included several that were widely reported as unpatched zero-day Windows vulnerabilities. It turns out that most of those vulnerabilities were already fixed by March’s Patch Tuesday updates. While this is good news for Windows users, it raises questions about when and how Microsoft learned about the Shadow Brokers exploits, why there was no mention of the source in March’s patch release notes, and whether this has anything to do with the rescheduling of February’s Patch Tuesday updates. Update: TechDirt’s analysis.
Microsoft has finally provided some details regarding Windows 10’s telemetry: the data Windows 10 collects and sends back to the Redmond mothership.
A recent post on the Windows blog (Windows 10 privacy journey continues: more transparency and controls for you) highlights three changes related to Windows 10 privacy:
- With the April 11 Creators Update, Windows 10 itself will provide more useful and detailed information about privacy settings, both during initial setup and in the Settings app.
- The privacy statement for Windows 10 has been updated.
- Most importantly, you can now see exactly what data is being collected from your computer and sent to Microsoft.
Telemetry data revealed
The information Windows 10 collects at the Basic privacy/telemetry/diagnostic level is listed in great detail on a new page on the Technet site: Windows 10, version 1703 basic level Windows diagnostic events and fields. The information is moderately technical, and may not be of much use to regular users, but it’s worth skimming if you have any concerns about Windows 10 telemetry.
There’s a similar new Technet page that describes, in somewhat more general terms, the data collected at the Full privacy/telemetry/diagnostic level: Windows 10, version 1703 Diagnostic Data.
Now someone just needs to review all that information, looking for red flags. Any volunteers?
Ars Technica: Microsoft opens up on Windows telemetry, tells us most of what data it collects
The Verge: Microsoft finally reveals what data Windows 10 really collects