Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Opera, Patches and updates

Opera 50 released

Leave a comment

Opera, the alternative web browser from Norway, adds several new features in version 50, which was released earlier in January.

Perhaps the most interesting new feature detects and blocks covert cryptocurrency mining, a new threat that sneakily uses your computer’s resources to make money for the perpetrators.

Other changes in this release include:

  • Chromecast support
  • VR Player enhancements, including Oculus Rift support
  • new: save web pages as PDF files
  • improvements to the tab context menu
  • currency and unit converter improvements
  • better crash protection
  • enhancements to the built-in VPN service

You can peruse the Opera 50 change log for additional details. Keep in mind that the log shows all changes to Opera 50 from its origin as a developer release in September 2017, through its beta stages, to its official release in early 2018.

Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2018

Leave a comment

This month’s pile of Microsoft patches includes some that help to mitigate the recently-discovered Spectre and Meltdown vulnerabilities in Windows 7 and 8. Windows 10 machines received these updates last week, as soon as they were made available by Microsoft, because of course there’s no way to stop that from happening. Unfortunately for folks running some older AMD processors, the Spectre/Meltdown updates are causing Windows to crash, and Microsoft has now disabled those updates for affected computers.

It gets worse. Many antivirus products use sketchy techniques for blocking, detecting, and removing malware. Some of those activities are incompatible with this month’s Spectre/Meltdown updates for Windows. Microsoft is currently blocking those updates on computers that are missing a special registry setting: the idea is that anti-malware software will set this flag to indicate that the updates are compatible, and safe to install. On my Windows 8.1 computer, Windows Update initially did not show this month’s security-only (KB4056898) or security rollup (KB4056895) updates. That’s because (gasp) I wasn’t running any anti-malware software. To get the update, I re-enabled Windows Defender, which created the missing registry entry, and re-ran Windows Update.

There’s also a special security advisory in this month’s updates, in which Microsoft lays out the Spectre/Meltdown issue, its effect on Microsoft software, and ways to mitigate the associated vulnerabilities.

Back to our regularly-scheduled Patch Tuesday…

The January 2018 update announcement as usual contains zero useful information, serving only as a pointer to the Security Update Guide. Analysis of this month’s guide data shows that there are seventy-two updates, addressing fifty-six vulnerabilities in .NET, Internet Explorer, Edge, Office, Windows, Flash Player, Sharepoint, and SQL Server.

Firefox, Mozilla, Patches and updates, Security

Firefox 57.0.4: security fixes for Spectre and Meltdown

Leave a comment

The full scope of the recently-discovered Spectre and Meltdown vulnerabilities is still being determined. It may be that hardware or firmware changes will be necessary to truly remove the danger. However, it’s still possible that operating system and application updates can mitigate the risk sufficiently for most purposes.

Once Microsoft demonstrated that the new timing-based attacks could be used in JavaScript code on a malicious web page to read data from other web sites, the folks at Mozilla decided to make that more difficult to accomplish in Firefox. Since the vulnerabilities are timing-dependent, Mozilla reduced the accuracy of several time sources within Firefox that could be used in Spectre and Meltdown based exploits.

The result is Firefox 57.0.4, released on January 4. It’s difficult to know just how helpful these changes will be, but if you use Firefox, you should install this update.

*nix, Hardware, Linux, Mac, Patches and updates, Security, Things that are bad, Windows

Major slowdowns headed for almost all computers

2 Comments

Major patches are coming, for most operating systems and devices running modern (made in the last 10 years or so) processors. Changes to Windows, Linux, macOS, and most other systems will modify the way memory is used, ameliorating critical CPU security flaws, and slowing them down significantly in the process.

There’s been a lot of secrecy around this issue, with details of the flaws — discovered several months ago — only now coming to light as O/S vendors scramble to prepare patches. The flaws (commonly referred to as Spectre and Meltdown) involve potential leaking of information, as described in a recent post on The Register:

At best, the vulnerability could be leveraged by malware and hackers to more easily exploit other security bugs.

At worst, the hole could be abused by programs and logged-in users to read the contents of the kernel’s memory. Suffice to say, this is not great. The kernel’s memory space is hidden from user processes and programs because it may contain all sorts of secrets, such as passwords, login keys, files cached from disk, and so on.

Much of this is still speculation, but the reality may be even worse, so hang onto your socks, since this is going to get ugly. It’s easy to imagine class action lawsuits arising out of the mess.

Those of you running light operating systems on older hardware may have the last laugh: while many of the world’s computers will soon be noticeably — and unavoidably — slower, yours will keep chugging along unaffected… at least until they’re used to access any of the millions of computers that power web sites and services. Major providers may have no choice but to install the updates, significantly reducing the processing power of their systems.

For computers running Windows 10, system updates are literally unavoidable, and the slowdown inevitable. The rest of us will need to decide whether to risk leaving the vulnerabilities exposed, or patch them and deal with the resulting performance hit. Exploiting the vulnerabilities is not straightforward, and it should be possible to stay safe by avoiding risky behaviour, such as indiscriminately running unknown software, visiting dubious web sites, and opening links in email. However, the full extent of the risks involved is not yet known.

Related articles

The Verge: Intel’s processors have a security bug and the fix could slow down PCs
The Verge: Microsoft issues emergency Windows update for processor security bugs
The Verge: Intel says processor bug isn’t unique to its chips and performance issues are ‘workload-dependent’
The Verge: Processor flaw exposes 20 years of devices to new attack
The Verge: How to protect your PC against the major ‘Meltdown’ CPU security flaw
Google Security Blog: Today’s CPU vulnerability: what you need to know
Bruce Schneier: Spectre and Meltdown Attacks
SANS InfoSec: Spectre and Meltdown: What You Need to Know Right Now
Techdirt: A Major Security Vulnerability Has Plagued ‘Nearly All’ Intel CPUs For Years

Update 2018Jan04: Corrected title and content to show that the problem affects all modern processors, not just those made by Intel, and that there are multiple vulnerabilities. Also added more related articles.

Patches and updates, Security, Vivaldi

Vivaldi 1.13.1008.40

Leave a comment

The latest version of Vivaldi includes some security fixes from a newer version of the Chromium browser engine, so this is an important update.

Other changes in Vivaldi 1.13.1008.40 are almost all regressions, meaning that they are fixes for things that were previously fixed but broke again in recent updates. The frequency of these regression issues in Vivaldi is troubling, as it seems to indicate some sloppiness in the development process.

The announcement for Vivaldi 1.13.1008.40 makes no mention of the new version number, and fails to link to anything like a change log. It’s unclear whether these omissions were intentional, or just mistakes.

Chrome, Google, Patches and updates, Security

Chrome 63.0.3239.108

Leave a comment

Two security vulnerabilities, one of which has a High risk rating, are addressed in Chrome 63.0.3239.108. The log lists a few additional changes, none of which are particularly interesting.

There’s no easy way to disable automatic updates in Chrome. Generally, if there’s an update available, it will find its way to your computer within a few days via Google’s Update Service.

You can usually trigger an update by navigating to the About Chrome page ( > Help > About Google Chrome).

Opera, Patches and updates

Opera 49.0.2725.56

Leave a comment

Opera just updated itself on my main computer, and now I’m running version 49.0.2725.47, which Opera itself says is the latest version. Which is odd, because the change log for Opera 49 shows the most recent set of changes is for version 49.0.2725.56.

Version confusion aside, the changes listed for Opera 49.0.2725.56 appear to be minor bug fixes. Which is weird, because the new version announcement mainly talks about improvements to Opera’s built-in VPN (Virtual Private Network) feature. The updated VPN service is apparently faster and better; it’s also now hosted on Opera’s own servers instead of SurfEasy’s.

If you use Opera’s built-in VPN, version 49.0.2725.56 may be worth exploring. Otherwise it’s unlikely to be of much interest.

Patches and updates, Security, Vivaldi

Vivaldi 1.13.1008.36

Leave a comment

Vivaldi’s new version announcements seem to be getting worse. Version 1.13.1008.36 was released a few days ago as another ‘Minor update to Vivaldi 1.13’, but details are scant: the new version number is never actually mentioned, and there’s no reference to any release notes.

The announcement does at least provide a brief list of the new version’s changes, which consist of a few bug fixes and an update to the Chromium engine that includes security fixes.

Given that there are security fixes in this release, Vivaldi users should probably upgrade as soon as possible. You can do that by clicking the browser’s ‘V’ menu at the top left, then Help > Check for Updates.

IoT, Malware, Security

Mirai botnet update

Leave a comment

It wasn’t Russia, or China, or any other nation-state. The motive wasn’t political. The IoT-based Mirai botnet was created by three young American men as a tool for crippling Minecraft servers and related services.

Of course, once Mirai’s authors realized the unprecedented power of their creation, they started using it for other things: as a tool for gaining customers for an anti-DDoS service; to kick Brian Krebs’ web site off the Internet as revenge for outing the authors of vDOS; and later as a lucrative click fraud engine.

Last week, in a courtroom in Alaska, Mirai’s creators all pleaded guilty to charges related to Mirai, including conspiracy to violate the Computer Fraud and Abuse Act (CFAA). FBI agents had tracked the botnet’s activities to the trio.

While I’m happy that these assholes have been caught, and are likely to spend significant time behind bars, Mirai is a sobering reminder of the fragility of the Internet. The earliest version of the Internet was ARPANET, which was literally designed to withstand nuclear attack. But even nukes can’t compare with the power of smart, young people with plenty of spare time. Not long after the Internet was born, a college student named Robert Morris brought the nascent network to its knees with a simple software worm.

Meanwhile, because the Mirai authors shared the botnet’s source code (in a futile attempt to confuse investigators), Mirai clones are popping up regularly, and doing a lot of damage.

Still, it’s encouraging to see that the FBI and other agencies are getting better at tracking the perpetrators of these malicious schemes. Other recent arrests include the person behind an attack on Deutsche Telekom that used a Mirai variant; and the operator of the Kelihos botnet. Hopefully these arrests will provide a sufficient deterrent for those similarly inclined.