Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett

Java, Security

Another Java vulnerability revealed

September 26, 2012 jrivett 2 Comments

As if things weren’t bad enough for Java on the web, security researcher Adam Gowdiak of Security Explorations yesterday announced yet another critical security flaw.

The new flaw apparently affects all versions of Java, including the most recent updates of Java 5, 6 and 7.

How does this affect users? Nothing has really changed: users are strongly urged to disable Java in their web browsers, since web sites are the most likely vector for attacks based on Java vulnerabilities. If that isn’t possible or practical for you, then your best course of action is to be extremely cautious when deciding whether to click any kind of link, in email or anywhere else. Simply visiting a web site can be enough to infect your computer.

Oracle has not responded to this latest report, and they have yet to respond to the previous Java vulnerability reports.

Chrome, Google, Patches and updates

Another new version of Google Chrome

September 26, 2012 jrivett Leave a comment

Google’s been busily fixing security holes and adding interesting new features to its web browser.

The latest version of Chrome is 22.0.1229.79, and it includes fixes for at least forty-two vulnerabilities, as well as some enhancements specific to Windows 8, and a new ability for Javascript called ‘Pointer Lock‘.

Adobe, Flash, Patches and updates

New version of Flash

September 21, 2012 jrivett Leave a comment

Version 11.4.402.278 of Flash for Internet Explorer and other major Windows web browsers was released on September 18 with little or no fanfare. No release notes are yet available, so it’s unclear what changes were made in the new version. Additional information will be posted here as it becomes available.

About Flash Player.

Google, Internet Explorer, Microsoft, Windows XP

Google Apps dropping support for Internet Explorer 8

September 21, 2012 jrivett Leave a comment

Google recently announced that it will be dropping support for version 8 and earlier of Internet Explorer in Google Apps.

The change will occur shortly after the release of Internet Explorer 10, on November 15, 2012.

Internet Explorer 8 is the most recent version of the web browser that runs on Windows XP, so anyone who uses Internet Explorer on Windows XP to access Google Apps will need to switch to a different web browser, or upgrade to Windows 7 or 8 after November 15.

Internet Explorer, Microsoft, Security, Windows

Active attacks targeting Internet Explorer

September 18, 2012 jrivett Leave a comment

Update 2012Sep22: As promised by Microsoft, patches for Internet Explorer versions 9 and earlier were made available yesterday. The patches are available through regular update channels, including Windows Update and Microsoft Update. Security Bulletin MS12-063 has all the details, including links for downloading the updates separately.

Update 2012Sep21: A fix for this issue, promised earlier this week by Microsoft, was announced yesterday. Anyone using Internet Explorer for web browsing is strongly encouraged to install the fix immediately. A proper (i.e. fully tested) patch will be available from Microsoft later today.

Update 2012Sep19: Another bulletin from Microsoft promises an ‘out of cycle’ fix for this issue in the next few days. Meanwhile, the list of sites known to contain the exploit code is growing.

Update 2012Sep18: Microsoft has issued a security bulletin that goes into some detail about this issue and suggests workarounds. Apparently you can install the ‘Enhanced Mitigation Experience Toolkit’, or configure Internet Explorer to either prompt before running ActiveX scripts or prevent them from running altogether.

A newly-discovered vulnerability in most versions of Internet Explorer is being exploited in current, ongoing attacks.

Anyone using IE 6, 7, 8 or 9 on Windows XP, Vista or 7 is potentially at risk. To become infected, a user need only visit a web site that contains the exploit code. Typically, trojan malware is then installed silently on the user’s computer. The computer is then open to further attacks as well as remote control by the perpetrators.

Internet Explorer 10 is not affected.

The exploit code may be placed on a web site without the knowledge of the site owner, if the site is not secure.

This vulnerability and the associated attacks are serious enough to warrant extreme caution when using Internet Explorer. Some experts are recommending discontinuing the use of Internet Explorer until a fix becomes available.

Microsoft has issued a bulletin that provides additional details.

Firefox, Patches and updates, Security

Firefox 15.0.1 released

September 12, 2012 jrivett Leave a comment

Another new version of Firefox was made available on September 7. Firefox 15.0.1 corrects some serious security issues in the recently-released version 15.0. The most important fix affects anyone using ‘Private Browsing’ mode.

The release notes list all of the changes.

Malware, Security

Latest ‘Ouch’ newsletter: what to do when you’ve been hacked

September 12, 2012 jrivett Leave a comment

The SANS ‘Ouch’ newsletter is an excellent computer security resource, written for regular users.

The latest ‘Ouch’ (PDF file) helps to determine whether you’ve been hacked, and if you have, what to do about it.

Microsoft, Patches and updates

Patch Tuesday for September 2012

September 11, 2012 jrivett Leave a comment

It’s a light month for Microsoft patches. Many users won’t be affected at all by the two updates announced by Microsoft for release today, since those updates are for Windows development and server software.

Malware, Security

New PushDo trojan variants currently active

September 11, 2012 jrivett Leave a comment

The PushDo trojan has been around for a while, but recent variants are making it more difficult for security researchers.

PushDo infects vulnerable computers when users visit an infected web site (drive-by download). Once installed on a computer, PushDo sends out phishing email purporting to be from banking institutions, tricking other users into clicking links within the email and infecting their computers with other malware.

What makes the new versions of PushDo different is that they hide communication with the botnet’s controlling servers amongst a flurry of traffic to other, unrelated servers. This makes the process of finding the controlling servers much more difficult and time-consuming.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows 8.x

Windows 8 Internet Explorer shipping with vulnerable Flash

September 7, 2012 jrivett Leave a comment

Update 2012Sep22: A Security Advisory published yesterday by Microsoft announced the availability of a patch for Flash in Internet Explorer 10. A related post on the Microsoft Security Response Center blog explains how security updates for Flash in Internet Explorer will be handled in the future. Anyone using Internet Explorer 10 or Windows 8 should install the Flash update as soon as possible.

Update 2012Sep11: Given the negative reaction to Microsoft’s previous announcement that recent Flash vulnerabilities would not be fixed in Internet Explorer 10 until after Windows 8 is released, today’s announcement is perhaps not much of a surprise. Microsoft is now saying that the Flash holes in IE10 will be plugged much sooner than originally announced. However, there will still be an easily-exploited delay between the launch of Windows 8 and the point at which all Windows 8 systems are patched.

Recently, Google switched to an integrated version of Flash in the Chrome web browser. They did this to simplify the update process: Chrome users no longer have to worry about keeping their browser’s Flash plugin up to date.

Microsoft has apparently done something similar with Internet Explorer 10, which is included with Windows 8. Unfortunately, the recent Flash vulnerabilities were not addressed in Internet Explorer 10 when Windows 8 was finalized recently. Which means Windows 8 has at least two very serious security holes in its integrated web browser, out of the box.

Microsoft says that the Flash vulnerabilities in Windows 8’s IE10 will be fixed during the regular patch cycle, but it’s not known exactly when the updates will appear.

Nefarious hackers are no doubt preparing for a surge of new Windows 8 systems to appear on the Internet, all with these rather large holes, ready to exploit.

If you are using Windows 8 or plan to start using it soon, your options are:

Stop using Internet Explorer. This isn’t really a viable option, since the browser is integrated into the O/S.
Disable Flash in Internet Explorer 10, assuming this is even possible.
Avoid all Flash content while using Internet Explorer 10. This is increasingly difficult to accomplish, given the prevalence of Flash content on the web.

boot13