A new version of WordPress includes fixes for eight serious security issues and at least sixty-two other bugs.
Most WordPress sites will update themselves automatically, but site operators should check to make sure, as some sites will be slower to update than others.
The release notes for WordPress 4.7.1 provide additional details.
By now you should be aware that indiscriminately clicking on anything in an email can be dangerous. Even if you know the sender, and the email looks totally mundane, you’re taking a risk any time you do it.
Recently, a particular kind of phishing email is showing up in inboxes everywhere. These emails look completely ordinary at first glance, and they contain what appears to be an attachment.
When you click the ‘attachment’ to open it, your browser is directed to a phony Google login screen. This in itself may not raise any alarms, since Google — in an effort to improve security — often throws extra login screens at us.
Unfortunately, if you fill in your Google username/email and password, that information goes straight to the perpetrators. Almost immediately after that, your password will be changed and you will have lost control of your Google account. If you’re like most people, you use your Google account for numerous Google sites and services, including Google Drive, Analytics, AdWords, and so on. The potential for damage is extreme.
The goods news is that you can avoid being victimized by this attack by doing something you should already be doing: before you click anything in an email, hover your mouse over the link or ‘attachment’. Most useful web browsers and email applications will show you some information about the item, either in a popup or in the status area at the bottom of the app. What you see should provide all the clues you need. If it’s an attachment, it should show you the file name. If it’s a URL, it should show you an ordinary web address that starts with ‘http://’ or ‘https://’.
Hovering over the fake attachment in these phishing emails shows what looks sort of like a URL, but starts with ‘data:text/html’. No valid URL will ever look like that.
This blogger wasn’t careful. He clicked the ‘attachment’, then entered his Google username and password on the fake login page. Luckily for him, the ‘login’ failed, which alerted him to the situation. He immediately changed his Google password, and appears to have dodged that bullet.
Another Patch Tuesday rolls around, bringing updates for Internet Explorer, Edge, Windows, and Office from Microsoft, and new versions of Flash and Reader from Adobe.
According to the Microsoft’s January 2017 bulletin summary,
“There are no security fixes or quality improvements for Windows 8.1 … on Update Tuesday for January 2017. As such, there is no Security Only Quality Update or Security Monthly Quality Rollup release for [Windows 8.1] this month.”
And in fact there are only four bulletins (with associated updates), addressing vulnerabilities in Windows, Edge, Office, and the Flash player built into Edge and Internet Explorer 11. Not including Flash, these updates address three security vulnerabilities.
Adobe’s contributions this month start with Flash 24.0.0.194, which addresses thirteen vulnerabilities in previous versions, adds some new features that are not particularly interesting, and improves support for high resolution displays in Firefox on Windows: Flash content will now scale properly in that context. As usual, Flash updates for Edge and Internet Explorer are handled by Microsoft, and Google Chrome will update itself automatically.
New versions of Adobe Reader address twenty-nine vulnerabilities. Reader XI is up to version 11.0.19, while its confusingly-named sister products Acrobat Reader DC (Continuous) and Acrobat Reader DC (Classic) are at versions 15.023.20053 and 15.006.30279, respectively.
So it’s an enjoyably light month. Visit Windows Update, update Adobe Reader, and if you use a web browser with Flash enabled, make sure to update that as well.
If you used Windows in the 90’s, you probably remember the Browser War between Microsoft’s Internet Explorer and Netscape’s Navigator. That war culminated in an antitrust case against Microsoft, in which the plaintiff (the USA) claimed that Microsoft’s bundling of IE with Windows was anti-competitive.
Regardless of whether you believe Microsoft acted fairly, Internet Explorer’s market share increased steadily during the period from 1995 to 2001, getting close to 100% at its high water mark. Microsoft never charged anything for its browser, but controlling the window through which most of the world viewed the web clearly provided a huge advantage to the company.
Now, all that ‘hard won’ market share is being given away by Microsoft, mostly to Google’s Chrome. Internet Explorer’s share plummeted from 40% to 20% in 2016, and there’s no bottom in sight.
Microsoft has abandoned Internet Explorer, switching its browser development efforts to Edge, which only runs in Windows 10. Only the most recent versions of IE are still supported, and only on Windows 7, 8.1, and 10. And that support is limited to fixing security issues and other bugs. You won’t see any more new features in IE.
Clearly, Microsoft thought everyone would upgrade to Windows 10, especially given the free upgrade offer, and the company’s aggressive upgrade tactics. But that appears to have backfired; Windows 10’s growth has been less than stellar, and even though Edge is arguably a better browser than IE, Windows 10 users are mostly choosing other browsers.
Microsoft may soon own as little as 5% of the total browser market, thanks to Edge’s lackluster uptake. Edge started 2016 with a market share of about 4%, and ended it with about 5%.
I think this qualifies as a major strategic blunder on the part of Microsoft.
Numbers are courtesy of NetMarketShare.
There are good reasons to be anonymous online. And yet most people assume that anonymity is just a license to be a jerk. The fact is that some people will be jerks online whether they’re anonymous or not.
Sadly, some less-well-informed people have decided that anonymity is somehow the root of all evil on the net, and think that forcing people to use their real names online will magically make everyone nice. This kind of thinking has even pervaded some very high profile companies, including Google and Facebook, both of which have pushed hard to make people use their real names.
Anonymity is a frequent topic of discussion over at Techdirt, where the comments section is open to the public and allows anonymity. Because the Techdirt staff actually engage with commenters (jerks and otherwise), the debate rarely gets out of hand, and some of the most interesting comments are posted by anonymous users.
In a recent Windows Weekly podcast, Microsoft’s Chief Marketing Officer Chris Capossela didn’t quite apologize for the company’s heavy-handed efforts to get people to upgrade to Windows 10.
Capossela did say that Microsoft heard the criticism, and tried to find the ‘right balance’, but he only seems to actually regret one particularly nasty ploy, in which closing an upgrade dialog caused the upgrade to start for many users.
Of course the Windows 10 push is long over, and the bad feelings it generated have started to fade. Unfortunately, even with the bad publicity, I suspect that Microsoft views the operation as a success, which means that they may be tempted to use the same tactics in the future.
A new version of Vivaldi updates the Chromium browser engine and fixes some translation issues.
Opera 42.0.2393.94 fixes a couple of crashing issues, and updates the Chromium browser engine to version 55.0.2883.87. The full change log provides additional details.
This week I once again encountered an old nemesis, the infinite ‘Checking for updates…’ Windows Update screen. Not this again! It happened when I was attempting to install the December 2016 updates on my main Windows 8.1 machine.
I tried the usual troubleshooting steps: rebooting, stopping all non-essential processes, the Windows Update troubleshooter, and so on. Nothing helped.
What makes this problem really annoying is that even when Windows Update is working properly, there are long pauses during which nothing appears to be happening. Even looking deeply into the running processes sometimes shows a complete lack of activity. Since a hung Windows Update often looks exactly like Windows Update actually doing something, all you can do is watch helplessly, in growing frustration, until you finally can’t stand it any more and stop the Windows Update process.
After banging my head against this problem for a while, it occurred to me that since most Windows updates are now available in ‘rollup’ form (i.e. packaged together in one update), I could install the appropriate ones manually, which would at least get my computer up to date, and could conceivably also fix Windows Update.
After a bit of searching I found the July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2. One of the prerequisites for this update is the Servicing stack update for Windows 8.1 and Windows Server 2012 R2: July 12, 2016, but that had already been installed in July, so I proceeded to install the rollup. It only took a few minutes.
After rebooting, I tried Windows Update, and ‘Checking for updates’ took about a minute to find December’s Patch Tuesday updates. Yay! I installed those updates and the computer is now fully patched.
It’s difficult to know for sure why this Windows Update problem happens, but it’s depressingly common, as are the sometimes wacky solutions users have proposed. The rollup solution that worked for me may work for others, but there are no guarantees. It’s Windows, after all.
Anyone who operates a web site based on the Joomla CMS (Content Management System) should drop what they’re doing and update Joomla to the new version, 3.6.5.
Joomla 3.6.5 addresses three security vulnerabilities, adds miscellaneous security hardening and includes three additional bug fixes. The release announcement provides additional details.
boot13