Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for November 2016

November 8, 2016 jrivett Leave a comment

It’s Patch Tuesday, albeit a slightly more interesting one than usual. Patches we have, from both Microsoft and Adobe. More about that later.

Microsoft wants to simplify the way security update information is presented to the public. To that end, they’ve created a new ‘starting page’ of sorts, called the Security Updates Guide. The idea is that anyone should be able to find the information they need by starting here. Most of the links on the new page actually go to existing TechNet pages. It’s definitely worth checking out.

Among the updates from Microsoft this month is a fix for the Windows vulnerability recently reported by Google. You may recall that Microsoft was rather annoyed with Google for making the vulnerability public according to their own rules (sooner than Microsoft wanted). Microsoft did credit Neel Mehta and Billy Leonard of Google’s Threat Analysis Group for their assistance.

There are fourteen bulletins from Microsoft this month. The associated updates address seventy-five vulnerabilities in Windows, Edge, Office, and Internet Explorer.

Adobe’s monthly contribution to the festivities is a new version of Flash, 23.0.0.207. A release announcement provides an overview of the changes, while the associated security bulletin provides some background about the nine vulnerabilities addressed.

Microsoft, Windows 10

Microsoft discovers what the rest of the world already knew

November 6, 2016 jrivett 1 Comment

When Microsoft releases a new version of Windows 10, it’s delivered in the form of a bandwidth-annihilating all-inclusive package. Windows 10 basically downloads a new copy of itself. Most Windows 10 users also don’t have much control over whether and when these massive updates occur.

Earlier this week, Microsoft publicly admitted that this arrangement is perhaps not ideal, and announced upcoming changes that will make the Windows 10 upgrade system less awful. Users will be given slightly more choice for scheduling upgrades, and the updates will only include what’s actually changed in the O/S, making them significantly smaller.

What’s really weird is the way that Microsoft is portraying these changes, as if they’ve discovered something new. Sorry, Microsoft. The rest of the world already knew that limiting update packages to what’s actually changed is a good idea.

Microsoft, Windows 10

Recent stats show Windows 7 growth exceeds Windows 10’s

November 4, 2016 jrivett Leave a comment

Microsoft’s big Windows 10 giveaway is over, and with it, interest in the new operating system. The latest numbers from netmarketshare.com show that growth in the number of Windows 10 devices has slowed to a crawl. Windows 7 growth in the last month or so is actually higher than for Windows 10.

To see the numbers on netmarketshare.com, select Operating Systems > Desktop Share by Version from the drop-down lists under Market Share Reports.

Thanks to Microsoft’s rules, it’s no longer possible to buy a new PC with any version of Windows other than 10. But Windows 7 and 8.1 are still available, so if you don’t mind installing Windows from scratch, you still have options.

Windows 7 will continue to receive support – and security updates – from Microsoft until January 14, 2020. Windows 8 will be supported until January 10, 2023. See the official Windows lifecycle fact sheet for details.

Adobe, Flash, Google, Microsoft, Patches and updates, Security, Windows

Windows zero-day vulnerability won’t be fixed until November 8

November 3, 2016 jrivett 1 Comment

Google’s Threat Analysis Group recently discovered critical flaws in Flash and Windows that could allow an attacker to bypass Windows security mechanisms. Attacks based on these flaws have already been observed in the wild.

The flaw in Flash was fixed immediately by Oracle; hence the out-of-cycle Flash update on October 26. But Microsoft decided to delay the corresponding Windows fix until next Patch Tuesday (November 8), and is now rather annoyed with Google for reporting the vulnerability publicly. Google was following its own rules for vulnerability disclosure, but such rules differ widely between organizations. In any case, Microsoft would have been happier if Google had waited a bit longer before spilling the beans.

Chrome, Google, Patches and updates, Security

Chrome 54.0.2840.87

November 3, 2016 jrivett Leave a comment

According to Google’s announcement, Chrome 54.0.2840.87 fixes at least one security issue. The change log lists forty-seven changes, none of which look particularly interesting or important. Still, this is a security fix, so you should make sure that Chrome has updated itself – if you use it.

Adobe, Chrome, Edge, Flash, Internet Explorer, Patches and updates, Security, Windows

Flash 23.0.0.205

October 28, 2016 jrivett 1 Comment

Normally Adobe releases Flash updates on Patch Tuesday, but when there’s a critical security vulnerability they will release an ‘out of cycle’ fix. That’s what happened with Flash 23.0.0.205, which was released on October 26 to address a single vulnerability: CVE-2016-7855 (details pending).

Anyone who uses Flash in a web browser should update Flash as soon as possible. If you’re not sure whether you’re running the latest Flash, go to the About Flash page on the Adobe web site.

As always, Internet Explorer and Edge will get updates to their embedded Flash via Windows Update (bulletin MS16-128), and Chrome will update itself automatically. Still, it’s a good idea to make sure by visiting the About Flash page.

Firefox, Internet, Security, Things that are bad

Stay away from Certificate Authority WoSign/StartCom

October 27, 2016 jrivett Leave a comment

A litany of abuse and incompetence has prompted Mozilla to completely distrust security certificates from Certificate Authority (CA) WoSign in Firefox.

Starting with Firefox 51, the browser will no longer trust WoSign or StartCom certificates. According to Mozilla: “If you receive a certificate from one of these two CAs after October 21, 2016, your certificate will not validate in Mozilla products such as Firefox 51 and later, until these CAs provide new root certificates with different Subject Distinguished Names, and you manually import the root certificate that your certificate chains up to. Consumers of your website will also have to manually import the new root certificate until it is included by default in Mozilla’s root store.”

WoSign/StartCom can dig themselves out of this hole by applying for inclusion of new (replacement) root certificates, and there’s little doubt that they will pursue this course. But should anyone really trust their security and privacy to this company? I sure won’t, especially when there are excellent free alternatives like Let’s Encrypt.

Mozilla has been tracking WoSign’s failures since the beginning of 2015, recording their observations on their corporate wiki site.

The most recent example of WoSign’s failings stems from their acquisition of CA StartCom in November of 2015. WoSign failed to disclose the acquisition, then lied about it.

On a related note, Mozilla will also no longer accept audits performed by the consulting firm Ernst and Young (Hong Kong). That’s the company that failed to catch several of WoSign’s worst abuses. This is personally amusing to me, since I’ve had dealings with Ernst and Young that were somewhat less than positive.

Update 2016Nov01: Google is following Mozilla’s lead and removing trust for WoSign and StartCom certificates in Chrome, starting with Chrome 56.

Patches and updates, Security, WordPress and other CMS

Critical security update for Joomla

October 26, 2016 jrivett Leave a comment

Joomla 3.6.4, released on October 25, addresses two critical security vulnerabilities that could allow an attacker to gain control of a Joomla-based web site.

Like WordPress, Joomla forms the basis of numerous web sites, because it’s easy to set up and manage. Its popularity and ease of use have of course also made Joomla a target for malicious hackers, who know that many Joomla sites are not kept up to date by their inexperienced owners.

If you manage a Joomla 3+ web site, please install this update as soon as possible. It’s very likely that attackers are already searching the web for vulnerable sites. Unless of course you want your site to be part of a botnet (which may sound cool, but really isn’t).

Opera, Patches and updates

Opera 41

October 26, 2016 jrivett Leave a comment

Faster startup times when re-opening multiple tabs, better use of available hardware acceleration for video, and improvements to the news reader are featured in Opera 41.0.2353.46, released on October 25.

The release notes and history for Opera are no longer being updated, so aside from announcement blog posts, finding the details for a new version involves reviewing the major version change logs. These logs include beta and developer releases, and only sometimes include the main ‘Stable’ releases. The log for Opera 41 was last updated for the version 41.0.2353.30 beta on October 19.

Hardware, Internet crime, IoT, Malware, Security

DDoS attacks on Dyn caused outages and slowdowns

October 22, 2016 jrivett Leave a comment

If you use Twitter, reddit, Amazon, Tumblr, Spotify or Netflix, you may have noticed that they were slower than usual for parts of yesterday. That’s because the affected sites and services use Dyn, a DNS service provider, and Dyn was hit by two huge DDoS attacks yesterday.

The attacks lasted for a few hours, and while they certainly affected a lot of people, they were no more than an inconvenience for most. Still, the surge in the number and size of these attacks is troubling.

Analysis of the attacks shows that they were made possible by the Mirai botnet, which uses a huge network of poorly-secured (and now compromised) DVRs and security cameras. Those are the same tools used in the recent krebsonsecurity.com and OVH DDoS attacks. The source code for Mirai was released to the public recently, which means just about anyone could have caused the Dyn attacks.

Brian Krebs has more.

Update 2016Oct24: Dyn has released a statement about the attack on their systems, in which they clarify the timeline, and confirm that the Mirai botnet was involved. Meanwhile, security expert Bruce Schneier doesn’t believe that the recent attacks were perpetrated by a state actor such as China. He also doesn’t think they were related to the probing attacks he reported earlier. But he is concerned that the attacks will continue to grow in size and frequency, because nobody involved is motivated to fix the problem.

Chinese device maker Hangzhou Xiongmai has issued a recall for several of its webcam models that were used in the attacks. However, they are only one company out of hundreds (maybe thousands?) of companies producing poorly-secured IoT devices.

Update 2016Oct25: According to Brian Krebs, Xiongmai has also made vague legal threats against anyone issuing ‘false statements’ about the company. This is presumably part of a PR effort to improve the company’s image in the wake of the attacks, but it’s hard to see how this will help anyone. The company’s main objections apparently relate to statements by Brian Krebs and others about users’ ability to change passwords. Testing has shown that back-door, unchangeable passwords exist on some of the affected devices.

boot13