Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Firefox, Mozilla, Patches and updates, Security

Firefox 60.0.2

Leave a comment

When first published on June 6, the release notes for Firefox 60.0.2 didn’t mention anything about security, but they’ve since been updated to include a reference to a single vulnerability that is fixed in the new version.

The vulnerability fixed in Firefox 60.0.2 is flagged as having both Critical and High impact by Mozilla, and since there are as yet no details in the official vulnerability database for CVE-2018-6126, it’s difficult to know which is correct.

Regardless, if you use Firefox, you should update it as soon as possible. Depending on how it’s configured, Firefox will usually at least let you know that a new version is available within a few hours after it’s published. If not, you can usually trigger an update by clicking the ‘hamburger’ menu icon at the top right, then selecting Help > About.

Chrome, Google, Patches and updates, Security

Chrome 67.0.3396.79 fixes a single security bug

Leave a comment

The latest version of Chrome includes a fix for a single security vulnerability with High severity.

The change log for Chrome 67.0.3396.79 includes a few dozen changes, but none that Google considered worth highlighting in the release announcement, aside from the single vulnerability.

To check your Chrome version, click the vertical-ellipses icon at the top right of its window, then select Help > About Google Chrome. If an update is available, it will usually start downloading automatically.

Adobe, Flash, Patches and updates, Security

Flash 30.0.0.113 fixes actively-exploited vulnerability

Leave a comment

Adobe logoOn June 7, Adobe released a new version of Flash, which addresses four vulnerabilities in earlier versions. One of those vulnerabilities is being exploited right now, mostly by way of Office documents attached to email.

The security bulletin for Flash 30.0.0.113 provides additional details.

If you’re using Flash, and in particular if you use a web browser in which Flash is enabled, you should update Flash as soon as possible. On Windows systems, you can do that by going to the Windows Control Panel, then clicking the Flash component. In the Flash Player Settings Manager, go to the Updates tab and click Check Now. That will take you to the official About Flash page, where you can check whether Flash is currently installed, see which version is installed, and download the latest version. Depending on your browser configuration, you may have to click the small gray rectangle to the right of the introductory text, then confirm that you want to allow Flash content to play.

As usual, browsers with embedded Flash (Edge, Chrome, Internet Explorer) will get the new version via their own update mechanisms.

Hardware, Internet crime, Malware, Security

What you need to know about VPNFilter

Leave a comment

Update 2018Jun11: According to the latest report from security researchers at Talos, the list of routers affected by VPNFilter is now much larger. The malware’s capabilities are now better understood, and include the ability to intercept and modify network traffic passing through affected devices. To see the updated list of devices known to be affected by VPNFilter, scroll to the bottom of this page and look for the heading Known Affected Devices. Bruce Schneier weighs in.

Over the last week or so, you’ve probably noticed several stories about some malware called VPNFilter. For most people — and for a number of reasons — VPNFilter doesn’t pose a significant risk. But it’s a good idea to make sure. Here’s what you need to know:

  • VPNFilter is designed to infect SOHO (Small Office / Home Office, aka consumer-grade) network routers and Network Attached Storage (NAS) devices. It appears to have been active since 2016, and is known to have infected hundreds of thousands of devices worldwide.
  • Only a few specific router models are known to be vulnerable to VPNFilter, but there may be more. The list of vulnerable devices includes several models from Linksys, Mikrotik, Netgear, QNAP, and TP-Link. If you know (or can find) the make and model of your router, check to see whether it’s on the list.
  • On May 23, the US Justice Department announced that they had effectively neutered VPNFilter by taking over one of its command and control domains. But VPNFilter remains on many infected devices, as do the vulnerabilities that allowed infection in the first place.
  • The FBI is asking everyone on Earth who manages or is responsible for any consumer-grade router, to restart it. This will remove the second stage of a VPNFilter infection from a router. It may seem like overkill, but until we have a complete list of vulnerable devices, it’s a risk-free way to disrupt VPNFilter’s activities.
  • If you think your device has been infected — perhaps because it’s on the list of known affected devices — the only way to fully remove the infection is to reset the device to its factory settings. This sounds simple but can actually be problematic. Resetting a router can cause connected devices to lose access to the Internet, and things gets worse from there. If you want to attempt this, you should first log into your device’s web interface and document all important settings, because you’ll need to reconfigure the device after it’s been reset. Disconnect the device from the Internet before resetting it, because its administration password will be reset to a known default. Change that password as soon as possible after the reset.
  • If you manage your own router or NAS device, it’s critically important to configure it sensibly. That means changing its default password, and disabling any features that allow for remote (i.e. from the Internet) administration.
Chrome, Google, Patches and updates, Security

Chrome 67.0.3396.62: security fixes

Leave a comment

Yesterday’s release of Google Chrome brings its current version number to 67.0.3396.62. The new version is mostly about security fixes: there are thirty-four in all, none of which are flagged with Critical severity.

The change log for Chrome 67.0.3396.62 is a monster, listing 10855 changes in all. Don’t try viewing that page with an older computer or browser.

Google hasn’t seen fit to highlight any of the changes in Chrome 67.0.3396.62 in the release announcement, other than mentioning that Site Isolation may or may not be enabled. Site Isolation is a new security feature that’s being rolled out in stages.

As usual, the new Chrome version “will roll out over the coming days/weeks.” If that’s too vague for you (it is for me), an update can usually be triggered by navigating Chrome’s menu (the vertical ellipses icon at the top right) to Help > About Google Chrome.

Google, Hardware, Microsoft, Security, Things that are bad

More CPU flaws discovered

Leave a comment

Microsoft and Google just announced a new CPU speculative execution flaw that’s similar to Spectre and Meltdown: Speculative Store Bypass.

As with Spectre and Meltdown, almost all CPU chips made in the last ten years are affected by this issue.

The Verge: Google and Microsoft disclose new CPU flaw, and the fix can slow machines down.

Bruce Schneier thinks there are more speculative execution flaws coming. And he’s probably right.

Spectre update

Intel has decided not to produce Spectre microcode updates for some of the oldest of their affected CPUs, leaving most Core 2 chips without any hope of a Spectre fix. As for first generation CPUs, some will get updates, and some will not. Microcode updates for all CPUs from generation 2 through generation 8 have already been released.

Not sure whether your computer is affected by Spectre? If you’re running Windows, Gibson Research’s free InSpectre tool will tell you what you need to know. Looking for a Spectre BIOS update for your computer? PCWorld’s guide is a good starting point.

Intel has produced new microcode for most Spectre-affected CPUs, but some manufacturers have yet to provide corresponding BIOS updates for all affected motherboards. They may have decided not to bother developing updates for older motherboards. That’s a potential problem for millions of computers running older CPUs that are new enough to be vulnerable to Spectre. If the manufacturer hasn’t released a BIOS update with Spectre fixes for your motherboard, consider contacting them to find out when that’s going to happen.

Update 2018May24: I contacted Asus about a particular desktop PC I happen to own, and was told that “details on whether or not there will be a Spectre BIOS update for the <model> is [sic] currently not available.” That doesn’t sound very encouraging. It feels like they’re waiting to see how many complaints they get before committing resources to developing patches.

Adobe, Patches and updates, Security

Acrobat Reader security update

Leave a comment

Adobe logoForty-seven security vulnerabilities in Acrobat Reader — many of them flagged as Critical — prompted Adobe to release a fixed version on May 14.

Acrobat Reader comes in a few different flavours, but the one targeted at regular users is Acrobat Reader DC, which is also sometimes refererred to as Acrobat Reader DC (Continuous Track). See the post Adobe Acrobat Reader updates from 2018Feb16 for more information about Acrobat/Reader variants.

Acrobat Reader DC version 2018.011.20040 contains fixes for all forty-seven vulnerabilities documented on the associated security bulletin.

You can install the latest Reader by visiting the Get Acrobat Reader page on Adobe’s web site. Don’t forget to disable any checkboxes for installing optional software. When I installed Acrobat Reader DC 2018.011.20040 from that page earlier, there were three such options, all enabled by default:

  • Install the Acrobat Reader Chrome Extension
  • … install the free McAfee Security Scan Plus utility …
  • … install McAfee Safe Connect …

Unless you know for sure you want to use those products, it’s best to avoid them.

Chrome, Google, Patches and updates, Security

Chrome 66.0.3359.170

Leave a comment

The latest version of Chrome fixes four security bugs. The Chrome 66.0.3359.170 release notes and change log have additional details.

Check your version of Chrome by clicking that three-dot (vertical ellipses?) icon at the top right, and selecting Help > About Google Chrome from the menu.

Of course, while keeping Chrome up to date is a good way to protect yourself from browser-based malware, you should also be careful when using extensions. Even Google-approved extensions obtained from the Chrome Web Store may contain malware. Recently, as many as 100,000 computers running Chrome were infected with malware hidden in seven different extensions from the Chrome Web Store.

Firefox, Mozilla, Patches and updates, Security

Firefox 60

Leave a comment

Mozilla is making things easier for IT folks with Firefox 60. A new policy engine allows Firefox to be deployed with custom configurations appropriate for business and education environments. This seems likely to increase Firefox’s presense on enterprise desktops.

The New Tab (aka Firefox Home) page gets a bit of an overhaul in Firefox 60, with a responsive layout that should work better with wide screens, saved Pocket pages in the Highlights section, and more reordering options.

The Cookies and Site Data section of Firefox’s Preferences page is now a lot easier to understand: the amount of disk space involved is shown, as are the implications of each option.

Twenty-six security vulnerabilities are fixed in Firefox 60.

Adobe, Chrome, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for May 2018

Leave a comment

Spring has sprung, and with it, a load of updates from Microsoft and Adobe.

This month from Microsoft: sixty-seven updates, fixing sixty-nine security vulnerabilities in Windows, Internet Explorer, Office, Edge, .NET, Flash, and various development tools. Seventeen of the vulnerabilities addressed are flagged as Critical and can lead to remote code execution.

The details are as usual buried in Microsoft’s Security Update Guide. You may find it easier to examine that information in spreadsheet form, which you can obtain by clicking little Download link partway down the page on the right. Just above that there’s a link to the release notes for this month’s updates, but don’t expect much useful information there.

Update 2018May11: If you were looking for something to motivate your patching endeavours, consider this: two of the vulnerabilities addressed in this month’s updates are being actively exploited on the web.

Adobe logoAs you might have guessed from Microsoft’s Flash updates, Adobe released a new version of Flash today. Flash 29.0.0.171 addresses a single critical vulnerability in previous versions. You can find release notes for Flash 29 on the Adobe web site.

You can get Flash from Windows Update if you run a Microsoft browser, via Chrome’s internal updater, or from the official Flash download page. If you use the Flash download page, make sure to disable any optional installs, as they are generally not useful.