Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Java, Security

More holes in Java, denial from Oracle/Sun

Leave a comment

A few days ago, Adam Gowdiak of Security Explorations discovered vulnerabilities in the most recent version of Java, 7u15.

Oracle’s response was to deny that the problem existed. So Adam got to work, testing Java 7u15 in more detail, and checking his results against the published Java documentation. He was able to confirm that his original report was legitimate, and he also found five more new vulnerabilities along the way. All of this information has been passed on to Oracle. Will they believe him this time? I’m betting yes.

Java, Security

More holes discovered in current Java

Leave a comment

The hits just keep on coming for Java. As fast as Oracle/Sun plugs (or tries, but fails to plug) one hole, another is discovered by independent security researchers.

This time, it’s the security research team at FireEye that have found vulnerabilities in the latest Java, version 7u15, as well as the most recent 6-series version (6u41).

Making matters worse, the new vulnerability is being actively exploited in the wild: a remote access trojan is being installed on affected computers.

In other words, even if you have the latest version of Java, you can be hit by this exploit. As always, if you don’t actually need Java enabled in your browser, disable it. If that’s not an option, be extremely wary of browsing web sites that you don’t know for sure are safe.

Ars Technica has additional details.

Adobe, Chrome, Flash, Google

Google Chrome, Flash, and ‘component updater’

Leave a comment

A few days ago, I posed a series of questions about Flash in Chrome. Since then, I’ve done some digging, and I’m now able to answer most of those questions.

  1. Q: What is the ‘component updater’?
    A: It’s a process used by Chrome to silently and automatically update certain specific components of the browser. The new, integrated Flash component falls into that category, so Flash in Chrome is updated automatically and without any notification to the user. When new versions of Chrome are released, Google may or may not refer to Flash updates in the release notes.
  2. Q: How does the component updater affect the version number of Chrome in Windows?
    A: It doesn’t. Component updates are distinct from new versions of the browser itself. You can, however, find the versions of Chrome’s components by browsing to special addresses in Chrome, as follows:

    • chrome://plugins/ – lists all plugins, along with their versions, including the integrated Flash.
    • chrome://flash/ – shows details of the integrated Flash component, including its version.
    • chrome://version/ – shows a version summary for Chrome and its major components, including the integrated Flash.
  3. Q: Has Flash been updated in my version of Chrome or not?
    A: You can’t depend on Google to announce new versions of the integrated Flash, regardless of whether the new version is packaged along with a new version of Chrome, or updated separately via the component updater. Use one of the special URLs listed above to check the version you’re using.
  4. Q: How can I determine what version of Flash is running in Chrome?
    A: Use one of the special URLs listed above.
  5. Q: What is “Windows Standalone Enterprise”?
    A: This remains a mystery. The Chrome release channels page doesn’t mention it. Perhaps it’s only available to enterprise (corporate) clients. Or possibly the Chrome announcement that referred to this channel was in error. In any case, you can’t really depend on Google’s announcements to mention new Flash versions; use one of the specials URLs above, along with Flash announcements from Adobe, to determine what version of Flash you have, and what version you need.
Adobe, Flash, Google, Microsoft, Patches and updates, Security

More security updates for Adobe Flash

Leave a comment

On February 26, Adobe announced version 11.6.602.171 of the Flash player. As usual, Adobe says: “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” The technical details are available in Adobe Security Bulletin APSB13-08.

Microsoft simultaneously announced a Flash update for Internet Explorer 10 on Windows 8, which will be delivered via Windows Update.

Google will no doubt release a new version of Chrome that includes the Flash updates in the next day or so.

Anyone who uses Flash in their web browser should install the appropriate update as soon as possible. That includes anyone who uses Youtube. So basically just about everyone.

Internet Explorer, Microsoft, Windows 7

Internet Explorer 10 for Windows 7 now available

Leave a comment

If you’re interested in using Internet Explorer 10 on Windows 7, head over to this Microsoft Downloads page.

Windows 7 users with autoupdate enabled will be upgraded to IE10 in the coming weeks. Currently, the new version doesn’t appear in Windows Update, but that will also change in the near future.

IE10 is much the same as IE9, but includes Javascript performance improvements, integrated spell-checking/correcting and better adherence to web standards like CSS3.

Java, Security

Vulnerabilities in latest Java

1 Comment

Oh no, not again! Adam Gowdiak of the Security Explorations research team has been hard at work, looking for holes in the latest Java (7u15). Here’s a quote from Mr. Gowdiak’s alert email:

We had yet another look into Oracle’s Java SE 7 software that was released by the company on Feb 19, 2013. As a result, we have discovered two new security issues (numbered 54 and 55), which when combined together can be successfully used to gain a complete Java security sandbox bypass in the environment of Java SE 7 Update 15 (1.7.0_15-b03).

Gowdiak has submitted his findings to Java’s developers, but there has been no official confirmation from Oracle/Sun as yet. Still, I’m cautioning Java users – especially those of us who have Java enabled in our web browsers – to exercise extreme caution, and flagging Java 7u15 as possibly vulnerable.

Ars Technica has more details.

Chrome, Google, Java, Patches and updates, Security

Google Chrome 25 released

Leave a comment

Version 25.0.1364.97 of Google’s Chrome web browser was announced yesterday.

The new version includes several security and other bug fixes, as well as some new features for web developers and voice recognition.

No mention of Java is made in the announcement linked above, but presumably the most recent Java security fixes found their way into this Chrome release.

Starting with this version, Chrome extension updates are no longer installed ‘silently’. This is a welcome improvement in security.

Microsoft

Microsoft doesn’t want you to use their software

1 Comment

In yet another move guaranteed to alienate users, Microsoft has decided to make using its new version of Office more difficult and expensive.

Until Office 2013, it’s been possible to transfer the software from one computer to another, and to re-install it on an upgraded computer. Microsoft even allowed people who used Office at work to install and use it on their home computers as well. This sort of realistic flexibility made it a lot easier to justify the rather hefty price tag for Office.

Unfortunately, with Office 2012, one set of Office media will be wedded to one particular computer forever. Non-transferable; one computer only.

As Peter Bright rightly points out in the post linked above, this penalizes a particular segment of computer users: the enthusiast. This includes a lot of the people who write about software and computers, so Microsoft can expect a lot more public backlash against this decision, as well as a general increase in the move away from MS Office toward alternatives like Apache OpenOffice, LibreOffice, NeoOffice, and Google Docs. Any conceivable increase in revenue stemming from this decision will be outweighed by these losses.

It seems clear that Microsoft is hell bent on driving away enthusiast/hobbyist/power users. Windows 8 is another example of Microsoft’s hostility toward power users.

Java, Patches and updates, Security

As expected, more critical Java updates

Leave a comment

Oracle/Sun has released Java version 7, update 15. What happened to update 14? Anyway, the new version includes a batch of security and other bugfixes they wanted to release with the last batch, and which were originally scheduled for release today. Confused yet?

Since the new version is all about fixing the rather horrible Java security vulnerabilities that have been revealed in recent weeks, you should go ahead and install the update, if you use Java. If you don’t use it, pat yourself on the back and count yourself lucky.

If you read the announcement linked above, you’ll notice that once again, determining the version being discussed is left as an exercise for the reader, since the version (7u15) is not mentioned anywhere on the page. There are plenty of references to the versions being replaced, which only adds to the confusion. Annoying.