Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


More holes in Java’s latest security enhancements

As you’re no doubt well aware, Oracle has been churning out a lot of security updates for Java lately. They’ve also been adding security features, such as the new security settings options. And that’s a good thing.

Except that the security settings don’t actually work the way they’re supposed to. There’s an implicit assumption that ‘trusted’ Java applications – those with valid certificates – should be allowed to do whatever they want. Which would be fine, if certificate status was always reliable. But it’s not. A new vulnerability discovered by security researchers at Avast grants valid status to clearly invalid certificates.

So, the usual advice still applies: disable Java in your web browser unless you absolutely need it. If you need it, consider setting aside one browser just for use with Java, and limit your use of that browser.

Is Oracle losing ground in this battle? Sure feels like it.

More improvements to Windows 8’s dumb UI

Even before Windows 8 was released, you could find third party tools for resurrecting the missing Start menu. New software from Stardock goes even further in eliminating inexplicable Windows 8 behavior.

It’s called ModernMix, and its most notable feature brings back the ability to show applications in multiple windows concurrently. Apparently much of the underlying functionality was there in Windows 8 all along, and ModernMix just makes it possible to access the hidden goodies.

I knew eventually the world would hammer the Windows 8 mess into something usable. Attaboy, Stardock. ModernMix is currently priced at $4.99.

Microsoft relents on tighter Office licensing restrictions

A few days ago, I reported Microsoft’s new policy of limiting Office installs to one computer forever. Apparently Microsoft heard the angry noise coming from the Internet, since they have now relented. You’re now allowed to transfer your Office license to another PC, although only every 90 days (except, apparently, in emergencies). No word on where they pulled that 90 from, but you can guess.

Java 7 update 17 released

And just like that, another new version of Java. Version 7 update 17 (what happened to update 16?) includes fixes for some serious security vulnerabilities, as outlined in the associated security alert.

You’ll forgive me for not trusting Oracle’s word on whether any particular vulnerability has truly been fixed. I’ll defer to Adam Gowdiak and other security researchers for the final judgment. Certainly 7u17 is the latest version of Java, and it presumably fixes some of the holes in 7u15, so anyone using Java – especially in their browser – should install it ASAP. But I’m going to leave Java 7u17 flagged as possibly vulnerable.

New version of Google Chrome

Another new version of Google’s web browser was announced today. Version 25.0.1364.152 includes fixes for several security vulnerabilities.

Since Flash isn’t mentioned in the release notes, presumably the version of Flash included in the new version is still 11.6.602.171. Let’s see… okay, I just updated Chrome to 25.0.1364.152, and the integrated Flash is definitely still 11.6.602.171.

More holes in Java, denial from Oracle/Sun

A few days ago, Adam Gowdiak of Security Explorations discovered vulnerabilities in the most recent version of Java, 7u15.

Oracle’s response was to deny that the problem existed. So Adam got to work, testing Java 7u15 in more detail, and checking his results against the published Java documentation. He was able to confirm that his original report was legitimate, and he also found five more new vulnerabilities along the way. All of this information has been passed on to Oracle. Will they believe him this time? I’m betting yes.

More holes discovered in current Java

The hits just keep on coming for Java. As fast as Oracle/Sun plugs (or tries, but fails to plug) one hole, another is discovered by independent security researchers.

This time, it’s the security research team at FireEye that have found vulnerabilities in the latest Java, version 7u15, as well as the most recent 6-series version (6u41).

Making matters worse, the new vulnerability is being actively exploited in the wild: a remote access trojan is being installed on affected computers.

In other words, even if you have the latest version of Java, you can be hit by this exploit. As always, if you don’t actually need Java enabled in your browser, disable it. If that’s not an option, be extremely wary of browsing web sites that you don’t know for sure are safe.

Ars Technica has additional details.

Google Chrome, Flash, and ‘component updater’

A few days ago, I posed a series of questions about Flash in Chrome. Since then, I’ve done some digging, and I’m now able to answer most of those questions.

  1. Q: What is the ‘component updater’?
    A: It’s a process used by Chrome to silently and automatically update certain specific components of the browser. The new, integrated Flash component falls into that category, so Flash in Chrome is updated automatically and without any notification to the user. When new versions of Chrome are released, Google may or may not refer to Flash updates in the release notes.
  2. Q: How does the component updater affect the version number of Chrome in Windows?
    A: It doesn’t. Component updates are distinct from new versions of the browser itself. You can, however, find the versions of Chrome’s components by browsing to special addresses in Chrome, as follows:

    • chrome://plugins/ – lists all plugins, along with their versions, including the integrated Flash.
    • chrome://flash/ – shows details of the integrated Flash component, including its version.
    • chrome://version/ – shows a version summary for Chrome and its major components, including the integrated Flash.
  3. Q: Has Flash been updated in my version of Chrome or not?
    A: You can’t depend on Google to announce new versions of the integrated Flash, regardless of whether the new version is packaged along with a new version of Chrome, or updated separately via the component updater. Use one of the special URLs listed above to check the version you’re using.
  4. Q: How can I determine what version of Flash is running in Chrome?
    A: Use one of the special URLs listed above.
  5. Q: What is “Windows Standalone Enterprise”?
    A: This remains a mystery. The Chrome release channels page doesn’t mention it. Perhaps it’s only available to enterprise (corporate) clients. Or possibly the Chrome announcement that referred to this channel was in error. In any case, you can’t really depend on Google’s announcements to mention new Flash versions; use one of the specials URLs above, along with Flash announcements from Adobe, to determine what version of Flash you have, and what version you need.

More security updates for Adobe Flash

On February 26, Adobe announced version 11.6.602.171 of the Flash player. As usual, Adobe says: “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” The technical details are available in Adobe Security Bulletin APSB13-08.

Microsoft simultaneously announced a Flash update for Internet Explorer 10 on Windows 8, which will be delivered via Windows Update.

Google will no doubt release a new version of Chrome that includes the Flash updates in the next day or so.

Anyone who uses Flash in their web browser should install the appropriate update as soon as possible. That includes anyone who uses Youtube. So basically just about everyone.