Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett

Microsoft, Patches and updates, Security, Windows

Microsoft issues special update for critical Windows vulnerability

July 21, 2015 jrivett Leave a comment

An update for a vulnerability in the Microsoft Font Driver – present in all supported versions of Windows – was released yesterday by Microsoft. Normally, updates like this are released as part of the monthly Patch Tuesday process, but Microsoft evidently decided that this vulnerability was serious enough to warrant this ‘out of band’ update.

Windows systems with Automatic Updates enabled will receive this update automatically. All other systems should be updated via Windows Update as soon as possible.

Chrome, Firefox

Mozilla’s plans to make Firefox better

July 17, 2015 jrivett Leave a comment

For years, Firefox has been the go-to browser for tech-savvy users, who mainly want to avoid using Internet Explorer. More recently, Firefox has been losing users to Chrome, albeit slowly. Fast-forward to today, and it’s increasingly common to hear people complain about Firefox’s bloat, and its performance issues.

I still use Firefox, but I’d switch to Chrome in a heartbeat if that browser had a bookmark sidebar. And I’m not the only one: the comments in this Chrome Help Forum thread clearly show users’ frustration with Google’s foot-dragging.

Apparently Mozilla can see the writing on the wall. A new effort is underway to improve Firefox’s quality. Part of this will involve identifying and removing features that are incomplete or ineffective, which should help to reduce bloat and improve performance. It’s way too soon to know if this will be enough for Firefox to hold on to notoriously fickle browser users, but at least Firefox may now have a chance.

Meanwhile, Microsoft’s new web browser (Edge) is going to complicate things if it really is as fast as claimed.

Java, Patches and updates, Security

Java 8 Update 51 fixes 25 vulnerabilities

July 15, 2015 jrivett Leave a comment

Yesterday, Oracle released a huge set of updates for all its products, in the July installment of their quarterly Critical Patch Update.

Included in the updates is a new version of Java, version 8 update 51. The new Java includes fixes for at least 25 security vulnerabilities. Anyone who uses a web browser with Java enabled should install the new version as soon as possible. According to Oracle, exploits for at least one of the Java vulnerabilities have been seen in the wild.

Adobe, Internet Explorer, Microsoft, Patches and updates, Security, Shockwave, Windows

Patch Tuesday for July 2015

July 14, 2015 jrivett Leave a comment

This month there are fourteen bulletins from Microsoft, with associated updates affecting Windows, Internet Explorer, Office and SQL Server. Four of the updates are flagged as Critical. The updates address at least fifty-nine vulnerabilities.

From Adobe, there are updates for Flash (see previous post), Reader/Acrobat (version 2015.008.20082) and Shockwave (version 12.1.9.159).

So, although installing updates on computers is probably not anyone’s idea of summer fun, let’s all try to keep our sense of humour as we once again work through the monthly update grind. Enjoy!

Update 2015Jul16: This month’s Microsoft updates address three vulnerabilities (two in Internet Explorer) exposed in the recent Hacker Team leak.

Adobe, Chrome, Firefox, Flash, Google, Internet Explorer, Patches and updates, Security

Flash 18.0.0.209 fixes latest vulnerabilities

July 14, 2015 jrivett 1 Comment

Earlier today, Adobe released yet another version of Flash to address the most recent vulnerabilities revealed in the Hacker Team leak (CVE-2015-5122 and CVE-2015-5123).

According to the release notes for version 18.0.0.209: “These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly.”

If you still need to use a web browser with Flash enabled, you should install the new Flash version immediately. As usual, Internet Explorer 10/11 in Windows 8.x will receive the Flash update via Windows Update. A new version of Google Chrome (43.0.2357.134) includes the most recent Flash version.

Ars Technica has more about the latest updates and efforts to minimize Flash-related vulnerabilities by Mozilla and Google.

Adobe, Firefox, Flash, Google, Security

Yet another Flash exploit revealed

July 14, 2015 jrivett Leave a comment

At this point, the Hacking Team leak appears to be a never-ending source for Flash exploits. A third vulnerability was just discovered among the leaked materials. As always, we recommend disabling Flash completely in your browser, or setting up one browser with Flash, to be used only when you have no other choice.

To reduce potential damage, Mozilla has configured Firefox to block all versions of Flash up to version 18.0.0.203. Of course, that won’t help for as-yet unpatched vulnerabilities such as the last two from the Hacking Team leak.

Meanwhile, there’s renewed interest in eliminating Flash from the web completely. YouTube abandoned Flash for an HTML5-based video player recently, and organized campaigns like Occupy Flash are trying to keep the ball rolling by encouraging both users and service providers to stop using Flash. Facebook’s Chief Security Officer wants Adobe to announce the end of Flash.

We’re hoping that Google is working to remove Flash from their advertising infrastructure, since for many users, Flash-based advertisements are their biggest remaining exposure to Flash.

Adobe, Flash, Security

Another Flash exploit revealed in Hacking Team leak

July 11, 2015 jrivett Leave a comment

Adobe has issued another security bulletin, for another new vulnerability in Flash. As with the previous vulnerability, this one was discovered in the information leaked following the Hacker Team server breach, and exploits have already been observed in the wild. The bug has yet to be fixed, although Adobe plans to issue an update next week. Brian Krebs has additional details.

Adobe, Flash, Patches and updates, Security

Flash update fixes Hacking Team vulnerability

July 8, 2015 jrivett Leave a comment

As much as I would like to see Flash disappear completely, I have to commend Adobe’s quick response to the recent discovery of a critical Flash exploit.

Flash 18.0.0.203 was released earlier today. The new version fixes the vulnerability associated with the Hacking Team leak (CVE-2015-5119), but it also addresses thirty-five other security vulnerabilities in Flash.

As usual, Google Chrome will update itself with the new Flash code, and Internet Explorer 10 and 11 on Windows 8.x will get the Flash changes via Windows Update.

Recommendation: if you use a web browser with Flash enabled, install the new Flash as soon as possible. Keep in mind that the standard Flash installer also installs McAfee security software by default: look for a checkbox for this option in the installer and disable it.

Ars Technica has additional details.

Firefox, Security

Recent changes to Firefox prevent access to network resources

July 8, 2015 jrivett Leave a comment

By now you’re no doubt familiar with the warnings displayed by web browsers when you navigate to sites that use out of date or incomplete security. Typically, a browser will allow you to continue to the site in question, regardless of the security issue. While it can be argued that allowing the user to ignore security warnings is a bad idea, in many cases this is the only way for users to access some sites.

The classic example of this is when a business creates a self-signed SSL certificate for a web resource that is only accessible internally. Typically this is done when non-secure access to the resource is simply not supported. Creating a self-signed certificate gets around this limitation and costs nothing. Users accessing the resource will see a warning about the self-signed certificate, but can tell their browser to proceed anyway, knowing that there’s no actual danger.

Unfortunately, Mozilla seems to have eliminated the ability for users to bypass these warnings. I recently encountered this when using the current version of Firefox (39.0) to access a router on a local network. I received a cryptic warning:

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

In earlier versions of Firefox, I would then be allowed to continue regardless of the security issue. But that’s no longer the case. To access the router, I switched to Google Chrome, which showed the same warning, but allowed me to proceed.

I understand that Mozilla is trying to tighten security, and limit the ways in which uninformed users expose themselves to security risks, but I believe that this is going too far. It’s yet another example of how Mozilla is pushing users away from Firefox, to other web browsers.

Update 2015Jul09: I’m seeing workarounds for this problem, but they typically involve ignoring the security check completely. I only want to be able to bypass the check for specific sites.

Update 2015Aug07: Only certain types of SSL keys are being handled this way in Firefox now. Specifically, Diffie-Hellman keys that are 1024 bits long or shorter. Other self-signed keys still allow for exceptions to be added.

Update 2015Oct16: Chrome also no longer allows access to sites, services, or devices using Diffie-Hellman keys.

Adobe, Flash, Internet crime, Security

Exploit for unpatched Flash vulnerability found in leaked material

July 8, 2015 jrivett 4 Comments

Hacking Team is an Italian company that develops counter-security (i.e. hacking) software. They claim to provide their tools only to NATO partners, but there have long been suspicions that their client list includes oppressive governments. These claims have always been denied by the company, but a recent, comprehensive hack against their servers has confirmed Hacking Group sells their software to anyone who asks, including Kazakhstan, Sudan, Russia, Saudi Arabia, Egypt and Malaysia.

Nobody has yet claimed credit for the hack and data scoop, but whoever did it, they have done the world a favour in exposing the practices of Hacking Group. Unfortunately, in publishing the information obtained in the hack, at least one serious – and unpatched – Flash vulnerability has also been exposed.

Adobe responded to the publication of the vulnerability with a Flash security bulletin, in which they confirm that the vulnerability and exploit exist, and that they are currently working on a fix (expected later today). Meanwhile, the exploit has already found itself into hacking toolkits.

Anyone still using a web browser with Flash enabled should consider disabling Flash until this vulnerability is patched.

Update 2015Jul08: Bruce Schneier points out that Hacking Team’s practices are even worse than predicted, and doesn’t expect the company to survive.

boot13