Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

All posts by jrivett


Patch Tuesday for November 2014

Yesterday Microsoft released fourteen updates, addressing 33 CVEs in Windows, Internet Explorer, Office, .NET, Internet Information Services, Remote Desktop Protocol, Active Directory Federation Services, Input Method Editor, and Kernel Mode Driver. Four of the updates are flagged as Critical. You can find all the details in the main bulletin.

Two of the expected sixteen updates (MS14-068 and MS14-075) were held back by Microsoft, with release dates for those updates now being shown as ‘Release date to be determined’.

In keeping with its new monthly update policy, Adobe released a new version of Flash yesterday. Flash 15.0.0.223 addresses several security vulnerabilities in previous versions.

Brian Krebs has additional analysis of these updates.

Update 2014Nov15: One of the updates in this batch addresses a serious vulnerability that exists on all versions of Windows. MS14-066 fixes a bug in the way secure connections are handled by the Microsoft secure channel (schannel) security component. Most of the focus has been on Windows servers, especially those running Microsoft’s web server software, Internet Information Services (IIS). However, according to some sources, any Windows computer that is configured to accept secure network connections is potentially vulnerable. Recommendation: if you’re running any Internet-facing service on a Windows computer, install this patch ASAP. Ars Technica has additional details.

Update 2014Nov15: Another of this month’s patches (MS14-064) addresses problems with a previous patch (MS14-060). McAfee has a detailed breakdown of the problems with MS14-060.

Update 2014Nov19: MS14-068 was released.

Update 2014Nov26: Apparently the MS14-066 update caused problems for some Windows servers. Microsoft added a workaround to the update bulletin that should resolve one of the problems, but has yet to acknowledge the performance problems reported in SQL Server and IIS. InfoWorld has additional details.

Firefox 33.1 adds ‘Forget’ button

Another new version of Firefox was released yesterday: 33.1.

According to the release notes, new features in version 33.1 include a ‘forget’ button, and the ability to use DuckDuckGo as the default search engine. These changes are in keeping with Mozilla’s push to improve privacy in the browser: the Forget button allows the user to remove cookies and history related to recent browsing, and DuckDuckGo’s search engine does not remember searches.

As usual, there was no formal announcement. There was an associated post on the main Mozilla blog, but that post makes no reference to the new version.

On a more positive note, the What’s New section of the release notes for this version have been pruned down to show only changes in this version, although the link to ‘all changes’ still shows about 3500 Bugzilla items, making it essentially useless.

Adjusted numbers show Windows 8 is actually doing as well as Windows XP

Ars Technica’s monthly look at operating system and browser market share was delayed slightly this month as they investigated an unexpected blip in the numbers for Windows 8 and XP. It turns out that the new numbers really are more accurate, and they show that Windows 8 isn’t doing quite as badly as previously thought. In fact, Windows 8 is doing about as well as the ancient and no longer supported Windows XP.

Advance notification for November Patch Tuesday

Next Tuesday Microsoft plans to publish 16 Security Bulletins, five of which are flagged as Critical. The updates affect Windows, Internet Explorer, Office, Exchange, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

Firefox 33.0.3 released

The latest version of Firefox apparently fixes two more bugs related to hardware incompatibility. According to the release notes, version 33.0.3 was released on November 6. There was as usual no formal announcement of the new version. I discovered it only because Firefox popped up a message about it.

Firefox 33.0.3 doesn’t appear to include any fixes related to security, so this is not an urgent update.

Despite some improvements, the release notes for Firefox are still a hopeless jumble of old and new changes. The link to the ‘complete list of changes in this release‘ displays a list of over 3400 issues, most of which are not specifically related to version 33.0.3.

Serious vulnerability in WordPress e-commerce plugin

One of the more popular WordPress e-commerce plugins is WP eCommerce.

Recently, security researchers discovered a vulnerability that could allow attackers to obtain private data from WordPress sites that use the plugin.

The plugin’s developers released a new version that fixes the vulnerability. Anyone who manages a WordPress site that uses this plugin should install the new version (3.8.14.4) immediately.

Facebook gives Tor a huge boost

Tor (The Onion Router) is a software toolkit that can be used to make your Internet-based communication more secure. It’s been getting a lot more attention since the Snowden leaks, as most people are uncomfortable with the knowledge that the NSA is spying on everyone.

Of course, the NSA and its supporters characterize Tor as a tool for criminals and terrorists, but in fact it’s used by plenty of regular folks who just want some privacy on the ‘net. Certainly there are some people who use Tor to hide criminal activity, but those people also use telephones.

Note that if Tor is used improperly, it won’t completely hide your Internet activity. It also adds overhead to network communications, making browsing somewhat slower. Worse, many Internet-based services and sites now detect the use of Tor, and limit or block Tor connections. As a result, Tor has been falling out of favour lately.

Now Facebook, in a move that seems to have surprised everyone, has decided to back Tor in a big way. A version of Facebook is now available via Tor. This move has the potential to propel Tor into wider use, and sets a standard for the general acceptance of Tor by large service providers. Whether Facebook actually turns out to be the ‘killer app’ for Tor remains to be seen.