boot13Chrome 43.0.2357.132 was announced today. There’s not a lot of information about the new version in its release notes, but the detailed change log shows that it’s mostly a bug fix release. None of the fixes appear to address security issues.
All posts by jrivett
Confusing series of Firefox releases
Last week the FileHippo update checker kept insisting that Firefox 38.0.6 was the latest version. I was – and still am – unable to find any official release notes for that version, but according to one source, 38.0.6 is a special version for specific hardware. In any case, Firefox never updated itself to 38.0.6.
Yesterday I discovered that Firefox 39.0 had been released, apparently on June 30th. According to its release notes, this version includes a variety of fixes and improvements, especially for Macs. HTML5 support is improved, as is networking. Several security vulnerabilities were also addressed.
Meanwhile, in reviewing the official list of Firefox releases, I found notes for version 38.1.0, which was apparently released on July 2nd. It looks like Mozilla staff posted this version in the wrong place, because the 38.1.0 release is for the ‘ESR channel’. Readers of this site are likely more interested (as am I), in the ‘release channel’. According to the Firefox ESR FAQ:
Mozilla Firefox ESR is meant for organizations that manage their client desktops, including schools, businesses and other instituitions that want to offer Firefox. Users who want to get the latest features, performance enhancements and technologies in their browsing experience should download Firefox for personal use [ed: the release channel], as these improvements will only be available to ESR users several development cycles after being made available in Firefox for desktop.
In other words, pay no attention to the 38.1.0 ESR release if you want all the latest improvements. The ESR releases tend to lag behind in features, while typically being more stable.
Security roundup for June 2015
What’s in a name?
ICANN is the non-profit organization that governs the basic naming system used on the Internet. Anyone who owns a domain name has an ongoing relationship (even if indirect) with ICANN. Unfortunately, there’s alarming evidence that ICANN is now being guided by corporate interests. Update 2015Jul08: this is a very real privacy threat.
ICANN wants to make it impossible for site owners to be anonymous. They insist that this will only apply to commercial sites, but the definition of commercial promises to be so vague that almost any site would qualify. Spammers will be rubbing their hands together in glee, since the information associated with domain registration is extremely valuable to them.
Free proxies: use with caution
Brian Krebs reports on recent research in which 443 free, open proxy services were tested, to determine whether they: a) support secure web traffic; b) maintain the privacy of user information; and c) modify user traffic in any way. Fully 79% of the tested proxies force web pages to load non-securely, which means that the service operator can see all their user traffic in unencrypted form. Sixteen percent of the services actively insert advertising into customer web traffic.
Recommendation: if you’re looking for a free proxy service, try to find one that allows secure (HTTPS) web traffic.
Why We Encrypt
Another insightful post from security expert Bruce Schneier explains why encryption is important, why it should be enabled by default, and why recent efforts to weaken encryption are a huge mistake.
Failure to encrypt
Researchers at AppBugs used their security software to detect flaws in the way apps encrypt Internet traffic, and the results are depressing. Over fifty Android applications – downloaded by millions of users – are using encryption incorrectly, or not at all. While some of these apps probably don’t transmit anything sensitive, many do, including several high profile apps from the NBA, Match.com, Safeway, and Pizza Hut.
New method for managing passwords
The free, open source Master Password simplifies the task of securely generating and storing secure, unique passwords. It does this without the need to store or access anything on the Internet; all you need is the app itself and a master password. The catch? You’ll have to generate and set new passwords for all the sites and services you use. Master Password is available for iPhone/iPad, Mac, Windows Desktop, Android, and on the web.
Steganography toolkit for malware
Steganography is a technique used to hide information inside otherwise harmless-looking image files. Security researchers have previously detected its use in hiding malware, but now they’ve discovered software that helps malware authors use the technique. Dell SecureWorks researchers recently analyzed StegoLoader’s capabilities. From their report:
Stegoloader is stealthy in many aspects; it evades analysis tools and deploys only necessary modules, without writing them to disk. Although CTU researchers have not observed Stegoloader being used in targeted attacks, it has significant information stealing capabilities.
The dangers of using secret questions for account recovery
Anyone who uses Internet-based services has seen them: ‘secret’ questions and answers you set up to facilitate password resets and account recovery. The idea is that the service can be sure you are who you say you are because you can correctly answer one or more of these questions. The problem is that this method has serious failings, as reported by Google researchers (PDF). The authors recommend using email-based, or – better still – SMS/text-based account recovery methods.
Testing your anti-malware solution
Is your anti-malware software working? Short of visiting a web site known to distribute malware, how can you be sure? One method involves a special string of text known as the EICAR test. Visit the EICAR web site and download a file containing the text; your anti-malware software should detect the text and identify it as the EICAR test. Alternatively, you can download Didier Stevens’ EICARGen software, which generates files containing the EICAR text. Depending on your anti-malware software’s configuration, the EICAR text may be detected when you attempt to download it, or when you write, read, or execute a file containing it. I currently use Avast, which by default detects EICAR when attempting to download it, and during full and explicit scans, but only detects EICAR in existing files when they are executed.
Is Chrome spying on you? Nope.
This past week there was a lot of noise on the web about Google sneakily installing an extension into Chrome that spies on you via your computer’s microphone.
There are several aspects to this story. First, Google did indeed automatically update installs of both Chrome (its closed-source web browser) and its open-source cousin Chromium, with an extension called Hotword. Note that both browsers are designed to update themselves automatically, so this isn’t anything new. But it seemed a bit sneaky in that Hotword is an extension, and as such, a) should probably only be installed after getting confirmation from the user; and b) should show up in the browser’s list of installed extensions.
Google explained this by pointing out that some Chrome/Chromium extensions are ‘component’ extensions, and these are handled more as core components of the browser than as extra add-ons. And Hotword was designated as a ‘component’ extension.
Second, people using the open source Chromium were particularly dismayed that the browser was updating itself with code that was itself not available for review (i.e. not open source). This concern was understandable, and Google’s response was to stop installing Hotword automatically on Chromium.
Third, there was some evidence of a bug in Hotword that could allow third parties (i.e. not the user, and not Google) to use Hotword to listen to users. A demonstration of this seems to bear out this claim, but at this point it’s not clear whether there is any basis for a serious privacy concern. I’ll post more about this as things progress.
It’s important to note that the Hotword extension is not enabled by default. Even if you’re using Chrome, and Hotword is installed automatically, it won’t do anything until it’s enabled. More about that below.
Background
As you may be aware, there’s a big push on to get voice control into the mainstream. For years, we’ve seen people in SF movies talking to their computers and thought it was pretty neat. The technology for actually doing this is finally here, and it’s being added to everything, starting with our mobile devices: iPhones have Siri, Windows phones have Cortana, and so on. Microsoft is pushing Cortana into Windows on PCs now as well, in Windows 10.
Google has been experimenting with voice recognition for its search site and in Chrome for some time now. The Hotword extension is just Google’s latest improvement. Once installed in Chrome/Chromium, the browser provides various indications about its status. Visiting the main Google search page, or just opening a new tab (which shows the Google search interface by default) will now show ‘Say “Ok Google”‘ at the far right of the search prompt. There’s also a microphone icon, which has actually been there for a while.
As long as Hotword is disabled, saying ‘Ok Google’ displays a dialog that says ‘Voice search has been turned off’. You’ll also notice a camera icon – with a red line through it – in the address bar. To enable Hotword, click the camera icon and select ‘Always allow google.* to access your microphone’. Now, when you’re on the Google search page and say ‘Ok Google’, the browser will start listening for your commands. If you don’t want to enable Hotword, but want to use voice commands, just click the microphone icon.
Note: if you switch away from the Google search tab, Hotword stops listening.
Legitimate concerns?
Here’s where some of the privacy concerns may perhaps be legitimate. Even if Hotword is disabled, Chrome is clearly still listening to you, even if it: a) ignores everything you say except ‘Ok Google’, and b) will only tell you that voice activation is disabled when you say ‘Ok Google’. It’s extremely unlikely that Google has any malicious intent here. They are simply trying to make voice control seamless.
For example, I have Cortana on my Windows phone (please keep your snickering to a minimum) and although I don’t use it much, it’s particularly handy for choosing music to play. I love being able to ask Cortana to play a particular song or artist when I’m in the car. There’s just one problem: to get Cortana to listen, I have to press a button on the phone. Microsoft is working on a ‘Hello Cortana’ feature that will allow users to get Cortana’s attention without needing to pick up the phone. Certainly this feature isn’t for people who worry about their privacy, but for the rest of us, it’s just going to be very handy.
General paranoia about Google
There’s a general feeling of distrust towards Google, and it seems to be growing. Google’s spectacular success, and their financial power, make it easy to think of them as just another huge corporation trying to run our lives. Google has certainly made their share of mistakes, and some of that distrust is perhaps warranted. But I think people get carried away with this. Sure, Google wants to make money from us, mostly in the form of advertising. But aside from that, I truly believe that they are just trying to provide excellent products and services. And I think they’re doing a remarkable job.
Opera 30.0.1835.88 released
The latest version of Opera makes further improvements to the extension framework, tab management, bookmark handling and HTML5 video support, improves general stability, and fixes a few bugs. The version 30.0.1835.88 release notes have additional details.
Critical update for Flash
Anyone who uses a web browser with Flash enabled should stop what they’re doing and install the latest Flash update from Adobe. The new version (18.0.0.194) was announced earlier today to address a critical vulnerability for which exploits have been observed in the wild.
Note that YouTube no longer uses Flash by default, so if you previously only used Flash for YouTube, you might be able to completely disable it in your browser. YouTube now uses a video player based on HTML5 technology.
Internet Explorer on Windows 8.x and Google Chrome will receive the new version of Flash via their own update mechanisms.
Brian Krebs has additional details on the vulnerability and the update. Krebs also recently wrote about his recent experiment in trying to live without Flash.
Update 2015Jul01: And just like that, the Cryptowall malware has been modified to take advantage of this vulnerability in unpatched Flash installations.
Chrome 43.0.2357.130 fixes at least four security issues
A new version of Chrome was announced yesterday. Version 43.0.2357.130 is a bug fix release, and includes fixes for four security vulnerabilities.
Big web performance boost expected with WebAssembly
Javascript is the universal programming language of the web. Almost all web sites use it to some extent, including this site (boot13). Although many users (including myself) use Noscript and similar systems to block Javascript when browsing unfamiliar sites, it’s difficult to use many popular sites without it. For example, I spend a lot of time using Google Analytics, and I’ve configured Noscript to allow JavaScript code to run on that site.
One of the problems with JavaScript is that it’s a scripted language. That means your web browser has to parse JavaScript code, one line at a time. This is a very slow process, and contributes to slow loading times on many major sites.
Various efforts to speed up JavaScript have come and gone, without much traction. Now, several major software developers have teamed up to try again. A new JavaScript assembler called WebAssembly (aka wasm) is under development by Mozilla, Microsoft, Google, and Apple. It’s too soon to know exactly when WebAssembly will start appearing in web browsers, but we’re hopeful that it will become the new standard when it does.
Bruce Schneier talks about the Cloud
Noted security expert Bruce Schneier provides some insight into the Cloud, weighing its benefits against its drawbacks. Like me, he limits his personal use of the Cloud, but his company both uses and provides Cloud services. Part two of a three part series about the Cloud.
Web-based password manager LastPass hacked
One of the more popular online password managers has been hacked. LastPass’s servers were breached and user data stolen, including hashed user passwords, cryptographic salts, password reminders, and e-mail addresses.
According to LastPass staff, your passwords are still secure, because only the encrypted versions were obtained. Analysts have confirmed that the risk to LastPass users is minimal, mostly due to safeguards employed by the service.
Still, if you use LastPass, you should immediately change your master password. You will in fact be prompted to do so when you log in.
Although LastPass had effective safeguards in place, the fact that they were hacked (again) leaves me wondering whether it’s ever a good idea to use any Internet-based password manager. I strongly recommend using an offline password manager like the excellent Password Corral or Password Safe. Both are freeware.
Ars Technica and Brian Krebs have more details on the hack and its implications for users.