Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


No more updates for Windows XP – what now?

RIP Windows XP. At least from Microsoft’s point of view. In fact, use of the O/S continues, and will probably do so for years.

First, let’s get one thing out of the way: it’s not a good idea to keep running Windows XP. If your XP computer is never connected to the Internet, then you have much less to worry about, but continuing to use XP on a computer that is connected to the Internet is risky. Especially if you’re also still using Internet Explorer, in which case you will almost certainly end up with malware of some kind in the very near future.

Anyone who can’t or won’t upgrade from Windows XP should take certain precautions. Check out the Windows XP page on this site for some useful tips.

If you want to do the responsible thing and move away from Windows XP, what are your choices? The best option at this point is Windows 7. You can still buy Windows 7, but Microsoft says that they will stop selling it in February 2015. I’ll be updating the Windows 7 resources on this site to provide XP -> 7 migration tips in the near future.

Other possibilities – for the more adventurous – include Linux and Chrome OS. Linux comes in many flavours, but one in particular is designed to make Windows user feel at home: Zorin OS (free). Chromium OS from Google was designed to be used with its inexpensive and simple ChromeBook computers, but it can be installed on regular PC hardware. It’s free, but probably only useful for users with basic requirements. It runs on top of Linux.

There are loads of articles on the web about the ‘XPocalypse’ – as it’s come to be known. Ars Technica has this: ‘The XPocalypse is upon us: Windows XP support has ended‘.

Windows 8.1 Update 1 now available

The first update for Windows 8.1 is available for downloading from Windows Update. As previously discussed, this update consists mostly of changes to the user interface that should make keyboard/mouse (non-touch) users more comfortable with the O/S. There’s still no actual Start menu, although Microsoft is planning to return that much-missed feature in a future update.

Of particular note is the fact that this update is necessary for access to future updates, starting in May 2014.

Update 2014Apr09: Apparently Microsoft has pulled Windows 8.1 Update 1 from its servers, saying that the update is causing problems with the update system itself, in some cases preventing updated systems from checking for future updates.

Extremely critical security bug affects most of the Internet

A bug in the OpenSSL cryptography software running on most of the world’s servers has opened a window into random server data that was never meant to be exposed.

This newly-discovered vulnerability – now known as ‘Heartbleed’ – has apparently existed for at least two years. It’s unclear whether the bug was known to (and used by) nefarious persons to gather supposedly secure information during that time.

Patches for affected operating systems and other software that uses OpenSSL were made available almost immediately after the bug was discovered by researchers. Anyone running a Linux server is strongly advised to update the OpenSSL library ASAP.

Services that use OpenSSL to provide security are separately assessing the risk to their customers and issuing their own advisories and recommendations. For instance, Yahoo Mail is known to be vulnerable. Mojang, makers of the popular game Minecraft, advise all players to change their passwords. Ars Technica is also advising all its users to change their passwords.

This bug is so important that it has its own web page, which provides an overview of the issue and makes general recommendations.

Update 2014Apr10: The LastPass web site has some helpful information about major sites that have been affected by Heartbleed and recommends changing your passwords for those sites. They also provide a site check that allows you to determine whether a particular site was affected by Heartbleed.

Flash Player 13 released

Yesterday, Adobe announced a new version of Flash, 13.0.0.182. The new version includes fixes for several security vulnerabilities (including one of the two found at Pwn2Own), as well as numerous other bug fixes and enhancements. There are also some new features, but these are mostly of interest to developers. The official release notes page has all the details.

As usual, the integrated versions of Flash in Internet Explorer 10 and 11 will be updated via Windows Update, and Chrome’s integrated Flash will be updated automatically by the browser itself.

Patch Tuesday for April 2014

It’s a very special Patch Tuesday: the last one for Windows XP and Office 2003. Security vulnerabilities in those products that appear after today will not be publicly patched by Microsoft. Also losing support today is the much-despised Internet Explorer version 6.

There are four bulletins and corresponding updates this month. Two are flagged as Critical. The updates address eleven security vulnerabilities (CVEs) in Office (including Office 2003), Windows (including Windows XP), and Internet Explorer (including IE 6).

As expected, one of the updates addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

The MSRC blog has a good overview of this month’s updates.

British and Dutch governments paying for Windows XP updates after April 8

It’s long been understood that Microsoft would continue to produce updates for Windows XP after support officially ends on April 8, 2014 – for anyone willing to pay. What hasn’t been known for certain is whether anyone would actually pay.

Now, as reported by Ars Technica, the British and Dutch governments have apparently decided to delay upgrading thousands of Windows XP computers, and have contracted with Microsoft to continue supporting Windows XP.

This raises some interesting possibilities. It seems likely that at least one person who works in the British government will find a way to leak new Windows XP security updates to the rest of the world. Microsoft may have measures in place to prevent this, but people are inventive, and would probably find workarounds. Then again, would you trust a supposedly-official update that you obtained from a shady download site? One can imagine Microsoft relenting, and making the updates available to everyone, just to stop the spread of tainted updates.

Another possible scenario is that a flood of hacks, attacks and malware, all based on previously unknown Windows XP vulnerabilities, have such a huge impact on the Internet, that again Microsoft relents and makes updates available to everyone.

If Microsoft does give in and continue making updates available for everyone, what does that mean for the British and Dutch governments? Will they demand refunds from Microsoft? Each has apparently paid many millions of dollars for the updates, so it would be completely reasonable to want it back if the updates became available for free.

This is going to get interesting…

Update 2014Apr15: Add the US Internal Revenue Service to the list of organizations paying Microsoft for Windows XP support and patches.

Update 2014Apr21: Apparently Microsoft just reduced the price tag for Windows XP patches. Presumably they looked at the current Windows XP usage numbers and decided it’s less important to gouge corporate clients than it is to make sure Windows XP systems are patched.

Advance notification for April 2014 Patch Tuesday

Next Tuesday is much more significant than the usual Patch Tuesday, because this crop of updates will be the last one for both Windows XP and Office 2003.

After April 8, most of the IT-enlightened world will be holding its collective breath, waiting for a likely deluge of hacks, attacks and malware based on vulnerabilities in Windows XP and Office 2003.

According to the official advance warning bulletin from Microsoft, this month’s updates will include patches for Office, Windows and Internet Explorer. Two of the patches are flagged as Critical.

One of the patches addresses the recently-discovered vulnerability in Word’s handling of RTF documents.

As usual, there’s a somewhat less technical overview of the upcoming updates on the MSRC blog.

The SANS InfoSec Handlers Diary blog has its own take on the upcoming updates.

SANS Ouch! newsletter: Yes, you are a target

This month’s Ouch! newsletter (PDF) from SANS should dispel any thoughts you may have regarding your digital safety.

In the networked world, if your device is connected, it is potentially vulnerable. Staying safe is largely a matter of vigilance: keep your software patched, use strong, unique passwords, and avoid opening suspicious email or browsing shady web sites.

The Ouch! newsletter is aimed at general users, so IT professionals may not learn much from reading it.