Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Firefox, Patches and updates, Security

Firefox 37 released

Leave a comment

A new version of Firefox was announced yesterday by Mozilla. Yes, you read that correctly: a post on the Mozilla blog announced new versions of Firefox for all platforms. Of course, the announcement doesn’t mention the new version number, and it doesn’t provide any details, it just points to the release notes. Still, it’s progress!

According to the release notes for Firefox 37.0, the new version includes several changes related to security, including ‘improved protection against site impersonation’, and several fixes related to recently-discovered TLS vulnerabilities. WebGL rendering performance on Windows was improved. HTML5 support was also enhanced.

According to the Firefox Security Advisories page, at least 13 security vulnerabilities were fixed in Firefox 37.0.

Update: As of April 1 at 6:53am PST, the version of Firefox I’m currently using (36.0.4) is telling me that ‘Firefox is up to date’. It looks like someone may have forgotten a step when publishing version 37.0. Presumably this will be resolved shortly. If I visit the main Firefox download page, it tells me I’m using an older version of Firefox, and the download link definitely goes to Firefox 37.0.

Update 2015Apr02: According to sources on the official Firefox IRC channel, auto-updates for version 37 have been suspended while the developers look into a crashing problem being reported by some Windows 8 users.

Microsoft, Windows

More fun with names from Microsoft

Leave a comment

Microsoft sure likes to keep people confused, don’t they? Most recently, they decided to designate the next version of Windows ’10’ instead of the otherwise completely sensible ‘9’ (being as it comes after 8).

Now, there’s a new chapter in the saga of ‘what the heck should we call applications that use the goofy new Start screen in Windows?’ Originally these applications were called ‘Metro apps’, to match the name of the new UI, Metro. Then they started calling them ‘Windows 8-style apps’. Then ‘Modern apps’. Then ‘Windows Store apps’. And then ‘Universal apps’. As of today, Microsoft has changed their collective minds once again, and now these Windows applications will be known as: ‘Windows apps’.

It would be fun to tally up what is has cost Microsoft to come up with the idea of calling Windows applications ‘Windows apps’.

Internet, Internet crime, Malware, Security

Malvertising is a growing threat

1 Comment

If you’re not familiar with the term, you should be. ‘Malvertising‘ refers to the increasingly common tactic whereby malicious persons include exploit code within what otherwise appears to be legitimate, web-based advertising.

Over on eWEEK, a recent post (Why ‘Malvertising’ Has Become a Pervasive Security Risk) explains why Malvertising is a real and growing threat.

Organizations that provide advertising platforms – including Google – need to deal with this threat quickly. If they don’t, there’s likely to be a surge in users installing ad-blocking software in their browsers. I personally use and recommend NoScript, a browser plugin that blocks all Javascript (and Malvertising) by default.

Chrome, Google, Patches and updates

Chrome 41.0.2272.101 released

Leave a comment

On March 19, Google announced version 41.0.2272.101 of its Chrome web browser. The announcement doesn’t describe any changes, and only says that a ‘partial list of changes is available in the log’. The log is derived from the Git version control system used by Google to manage Chrome’s source code. As such, it’s difficult to parse for significant changes. It appears that only minor changes were made in Chrome 41.0.2272.101.

Firefox, Patches and updates, Security

Firefox 36.0.3 fixes two security bugs

Leave a comment

Two security vulnerabilities, discovered at the HP Zero Day Initiative Pwn2Own contest, have been fixed in Firefox 36.0.3.

As usual, there was no proper announcement for the new version. The release notes for 36.0.3 include changes made in previous versions, as you can see by comparing them to the release notes for 36.0.1. At least the changes specific to 36.0.3 are flagged as such.

The Security Advisories (aka Known Vulnerabilities) page now has a section for each version; the most recent changes are listed under the heading ‘Fixed in Firefox 36.0.3’.

Internet, Mac, Mobile, Patches and updates, Security, Windows

FREAK vulnerability affects Windows, Mac, mobiles

Leave a comment

It’s been about two weeks since the FREAK vulnerability was first reported. The flaw itself has existed for at least ten years, and we now know that it affects mobile devices, Mac OS X, and Windows.

From the related US-CERT alert:

FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.

It’s now clear that this is a teaching moment for the Internet. The FREAK flaw exists because of the ridiculous (and short-lived) insistence by the US government that encryption software designated for export be made deliberately weak. The imposed restrictions ended, but the code involved in switching between strong and weak encryption remained. This intentional weakening of encryption is similar to the kind of ‘golden key’ (back door) for which intelligence organizations are currently clamouring. The lesson: Encryption Backdoors Will Always Turn Around And Bite You In The Ass. Bruce Schneier calls this a ‘security rollback‘. The Economist puts it succinctly, “…mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it.”

Update 2015Mar19: Researchers determine that exploiting the remaining vulnerable systems is much easier than originally estimated. Thousands of iOS and Android apps are vulnerable.

Google, Internet, Privacy

Domain registration information leaked by Google

Leave a comment

If you’ve registered domains using the Google Apps for Work service, there’s a good chance your registration (WHOIS) information is now available to unscrupulous persons.

Apparently a software defect in Google Apps started leaking the registration info (names, phone numbers, physical addresses, e-mail addresses, etc.) in mid-2013. The defect was recently discovered by a security researcher. Google acted quickly to stop the leaking, but for many, the damage has already been done.

If your information was leaked, you’ll likely start seeing an increase in spam to associated email addresses. The information may also be used in spear phishing attacks.

Note that while domain registration information is public, most domain registrars (including Google Apps) allow for this information to be hidden or only accessible indirectly. This likely encouraged many registrants to use accurate information, making the leak that much worse.

Internet Explorer, Microsoft, Patches and updates, Security, Tools, Windows

EMET 5.2 released by Microsoft

Leave a comment

A new version of the Enhanced Mitigation Experience Toolkit (EMET) was announced by Microsoft on March 12. EMET is an application that provides an additional level of security for Windows systems by detecting and blocking specific types of application behaviour that are associated with malware.

Version 5.2 of EMET adds new features for Windows 8.1 (and up), and for Internet Explorer.

EMET is highly recommended for Windows computers. You can obtain it from the main EMET page.

Update 2015Mar17: If you downloaded EMET 5.2 before March 16, you may have noticed that Internet Explorer on Windows 8.1 stopped working. Microsoft has re-released EMET 5.2 to address this problem.