Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Patch Tuesday for August 2016

It’s update time again. This month Microsoft is making available nine updates, affecting Windows, Internet Explorer, Edge, and Office. Five of the updates are flagged as Critical. A total 38 vulnerabilities are addressed with these updates.

The associated bulletin from Microsoft has additional details.

There’s also one new security advisory: Update for Kernel Mode Blacklist.

Potentially massive breach of Oracle POS software

The details are still not clear, but there is strong evidence of a breach of Oracle’s MICROS Point Of Sale (POS) software.

This software is used by many popular companies, and could affect as many as 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels. The primary danger to customers of these companies is theft of credit card information.

Affected companies include Starbucks, Sonic, IHOP, Hard Rock Cafe, and Burger King.

Update 2016Aug21: Brian Krebs’ ongoing analysis reveals that the breach may be much larger than originally thought, possibly even affecting Oracle’s corporate network. Oracle remains largely silent on the issue, which is prompting a lot of backlash from MICROS users.

Windows 10 anniversary edition

Despite my extreme disappointment with Microsoft’s decision to prevent disabling advertising and privacy-compromising features in the Pro version of Windows 10, I am still running it on my test PC – for now. I don’t need to be running Windows 10 to talk about it, so I’ll be switching my test PC back to Windows 7 or 8.1 in the near future.

The anniversary update, which could fairly be described as Windows 10 Service Pack 1, has arrived. If you’re in the Windows 10 Insider Preview program, you’ve already seen all the changes that come with this update. For those of you not in the Insider program, here’s what the anniversary update includes: Windows Ink, a doodling program for tablets; improvements to the Start page, Start menu, notification center, taskbar, and other user interface elements; Cortana improvements; plus extensions and other improvements for Edge.

If you’re running Windows 10, you can get the anniversary update from Windows Update. You can also clean install it from an ISO image available from Microsoft.

Once the anniversary update is installed, Windows 10 will identify its version as Version 1607; OS Build 14393.10.

I haven’t encountered any new problems since my test PC upgraded itself to the anniversary version.

Before I remove Windows 10 forever from my test PC, I’m going to spend a bit of time looking into the new Pro version restrictions. There’s a small chance that some smart person will find a way around them; if so, I’ll post about it on this site.

Information from Microsoft:

Some wireless keyboards are vulnerable to keystroke sniffing

Security researchers at Bastille tested a variety of wireless keyboards and found several that are vulnerable to keystroke interception and injection techniques.

The researchers developed a specific attack called Keysniffer, and used it to both read user keystrokes and inject their own keystrokes remotely, from as far away as 250 feet. The attack is possible because the affected keyboards don’t encrypt communications with the host computer.

Bastille obviously didn’t test every wireless keyboard out there, but they did provide a list of those they found to be vulnerable.

Java 8 Update 101

Oracle released Java 8 Update 101 a couple of weeks ago, and I somehow managed to miss it. The Oracle Critical Patch Update Advisory for July 2016 includes the details, and I’m still subscribed to the Oracle Security Alerts RSS feed, so I can only assume that I failed to notice it. Mea culpa.

The new version includes fixes for at least thirteen security vulnerabilities, as well as several other bug fixes.

Anyone with Java enabled in their web browser should update Java as soon as possible. Hopefully most of you noticed the update and installed it before I did.

SANS ‘Ouch!’ newsletter for August 2016

This month’s ‘Ouch!’ (PDF) is about Ransomware, that nasty type of malware that encrypts your data files and (if you’re lucky) allows for their decryption, once you pay a ransom.

It’s definitely a worthwhile read, especially if you’re not familiar with the term. Ransomware is real, and affecting increasing numbers of users.

Also see Ransomware update, recently posted on this site.

Joomla 3.6.1 update problems

The latest version of Joomla is causing problems for web servers running older versions of PHP. Affected Joomla sites are still accessible, but users and administrators are unable to log in.

An announcement on the Joomla web site, and another in the Joomla documentation, provide details and workarounds for problems caused by the update, but web servers running PHP 5.3 won’t find them particularly helpful. If you administer a web server running PHP 5.3, the solution is to either wait for Joomla 3.6.2, or make some changes to a single Joomla file, as outlined in this fix on Github.

In case you’re wondering why any diligent web server administrator would still be running a version of PHP that is known to be insecure, what’s actually going on in most cases is that the admin is running a custom build of PHP that has had all relevant security fixes applied. For example, these custom builds of PHP are provided for Ubuntu LTS (Long Term Support) releases to allow for maximum security and stability.

Update 2016Aug05: That was fast. Joomla 3.6.2 is now available, and it fixes the PHP 5.3 compatibility issue.

Frequent password changes don’t necessarily improve security

Lorrie Cranor, chief technologist at the US Federal Trade Commission, recently made news by warning that frequent password changes may actually reduce security.

This does not mean that you should stop changing your passwords. Cranor is actually referring to the enforced password change policy in place at many organizations. When users are forced to change their passwords at regular intervals (eg. every 60 days), they tend to use patterns, like incrementing a number at the end of a password.

Related research shows that once common patterns are allowed for, password cracking success rates increase markedly. You can be sure that the people writing password cracking software know about this as well.

When you change your passwords (whether enforced or not), don’t use a simple variation of the previous password. Instead, think of an entirely new one, or use one of the many excellent password database programs and services to generate one.

Firefox 48

There’s a lot to talk about with the release of Firefox 48. Of course, this being Mozilla, nothing is straightforward.

Process separation

One of the most important new features in Firefox 48 is process separation (aka Electrolysis, aka e10s), whereby Firefox is split into separate processes, instead of running as a single process. The idea is to improve stability, responsiveness, and security. According to Mozilla: “Users should experience a Firefox that is less susceptible to freezing and is generally more responsive to input, while retaining the experience and features that users love.”

Here’s what the release notes have to say about it: “Process separation (e10s) is enabled for some of you. Like it? Let us know and we’ll roll it out to more.” What does this even mean? How do I know if process separation is enabled in my copy? What’s the difference between Firefox 48 with process separation enabled and with it disabled? How can I provide feedback on something if I don’t even know for sure I’m seeing it? If it’s not enabled in my copy, how will Mozilla ‘roll it out’ to me?

A separate Mozilla blog post answers some of these questions. Process separation will be enabled gradually in a series of Firefox releases, starting with 48 and continuing with 49. You can determine whether e10s is enabled in your copy of Firefox by entering “about:support” into the URL bar, and looking at the ‘Multiprocess Windows’ line.

A post on Asa Dotzler’s blog provides a few more answers, including this: “The groups that will have to wait a bit for E10S account for about half of our release users and include Windows XP users, users with screen readers, RTL users, and the largest group, extension users.” In case you were wondering, Asa Dotzler is the Participation Director for Firefox OS, Mozilla Corp.

Improved download security

With version 48, Firefox has beefed up security related to downloads. Actually, it’s more accurate to say that Google added features to its Safe Browsing service, which Firefox uses. Those new features include checking for ‘Potentially Unwanted Software’ and ‘Uncommon Downloads’. The changes are described in another Mozilla post. Unfortunately, this post is poorly worded, making the new features sound as if they watch what a downloaded software installer is doing. In fact, Firefox just checks downloads against a list of known bad or ‘uncommon’ installers (provided by Google) and warns the user if one is encountered. The new features can be disabled in Firefox’s options.

New restrictions for add-ons

Firefox add-ons that have not been approved by Mozilla will no longer work with Firefox 48. Add-ons are a major source of instability and security issues in Firefox, and while this change will be inconvenient for people who use add-ons that have not been verified and signed by Mozilla, it’s definitely a step in the right direction.

Security vulnerabilities fixed

At least twenty-three security issues were fixed in Firefox 48. That means this is an important update; if you use Firefox, you should upgrade to version 48 as soon as possible. If the new features in Firefox 48 are a problem for you, then it’s time to look at alternatives like Opera and Chrome.

Other notable changes

The address (URL) bar now expands to the width of the screen when you’re typing in it. More matches are shown when you enter text in the address bar, and any that are already bookmarked will show an icon.

Improvements to bookmarks and history: Firefox 48 merges “your Reading Lists into Bookmarks and your Synced tabs into the History Panel. This change means your reading list items will now be available across devices alongside your bookmarks, giving you easier access to your content no matter what device you’re using, which is a major upgrade for those of you using Firefox across devices.”

Related links