Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.
Apparently a new version of Adobe Shockwave was released on July 1, 2014. The new version is 12.1.3.153.
The main welcome/download page for Shockwave shows the latest version and provides a test that shows the version you’re currently running. If you’re not running the latest version, you can download and install it from that page. The Shockwave Player Help page does much the same thing.
Adobe’s web resources for Shockwave are appallingly bad. The list of security updates is over a year out of date. The most recent update listed is for version 12.1.0.150. The official Shockwave version history is even worse, as it hasn’t been updated since 2007! There doesn’t seem to be any kind of an update alert mechanism such as an RSS feed, although with the information so out of date, that wouldn’t really help.
Numerous versions of this library are available for Windows, and any or all of them can be installed at the same time on Windows PCs. Some versions are no longer supported by Microsoft, and updates for those older versions won’t appear in Windows Update.
Because of this, many Windows PCs contain versions of this library that have security vulnerabilities.
Microsoft’s documentation on the XML library is confusing and incomplete. For what it’s worth, here are a couple of links to said documentation:
We recommend installing and running Secunia’s PSI, which scans for out of date software, including Microsoft’s XML libraries. PSI also helpfully provides links to download any missing updates.
Update 2014Jul30: A reader pointed out that getting MSXML4 up to date is not a simple task. Here’s what you need to know:
The most up to date MSXML4 is a patched version of MSXML4 SP3, specifically 4.30.2117.0.
Windows Update won’t offer newer updates for MSXML4 if the version on your computer is SP2. This is the basic problem pointed out by Secunia.
To get the most recent MSXML4 on your computer, you have to manually download and install MSXML4 SP3, then run Windows Update, which should show this update: Security Update for Microsoft XML Core Services 4.0 Service Pack 3 (KB2758694). Once you install that update, you should be running MSXML4 SP3 version 4.30.2117.0.
Even after you’re running the most recent version of MSXML4, Secunia PSI will tell you it needs to be updated. That’s because Secunia has decided to report MSXML4 as ‘end-of-life’ (which it is) and direct users to MSXML6 instead. There are two problems with this: first, installing MSXML6 will not remove any earlier versions, including MSXML4; second, Microsoft recommends leaving MSXML4 in place as long as it’s up to date. The upshot is that unless you manually remove all remnants of MSXML4, PSI will keep telling you to install MSXML6, even if it’s already installed.
It looks like Microsoft really won’t be bringing the Start menu back to Windows 8, and will instead try to win users back with the next version of Windows. One wonders whether Microsoft should just skip every other Windows release, given their track record.
The Verge has leaked screenshots of Windows 9’s Start menu, and it appears to be an amalgamation of features from Windows 8 and Windows 7, with the right half of the menu showing pinned ‘Metro’ style apps.
By now you’re probably sick of hearing the password mantras “use long, complex passwords”, and “don’t reuse specific passwords for multiple accounts”. Sick or not, that advice is still valid, and anyone who signs in to online services should be following it.
But you can make your online life a bit easier if you give some thought to the risk associated with each account you’re trying to protect. A password used to access an obscure web forum doesn’t need to be as complex (and difficult to remember) as the password for your online bank account.
Researchers from Microsoft and Carleton University have done the math, and conclude that this risk-based approach is sound.
We still strongly recommend the use of an offline password manager such as Password Corral or Password Safe. But at least now you can consider using easier-to-remember passwords for some accounts.
Thanks once again to organizations like CERT and SANS, this morning I was alerted to a new version of Firefox.
Version 31 includes fixes for security vulnerabilities and other bugs, and adds several features, none of which is likely to be of much interest to anyone except developers.
The upshot? That even the mighty Google can be shamed into fixing things. Okay, folks, let’s all start screaming about the ridiculous lack of a bookmark sidebar in Chrome. Maybe if we make enough noise, that long-requested feature will finally appear.
A whopping 26 security vulnerabilities are addressed in the latest version of Google’s web browser. The new version also includes fixes related to stability and performance, and adds some minor features. The official announcement has all the details.
Researchers at the University of California, Berkeley tested several popular web-based password managers and found serious vulnerabilities.
Although it’s a good idea to use password management software, any web-based service is going to be a tempting target for nefarious persons, since discovering one password will typically open a treasure trove of additional passwords.
Oracle published its most recent quarterly Critical Patch Update bulletin on Wednesday. The bulletin describes updates to most of Oracle’s products, including its flagship database software, but the updates of interest to most people are those related to Java.
As usual, given the severity of the vulnerabilities fixed by these new versions, you are strongly encouraged to update as soon as possible, particularly if you are using a Java-enabled web browser. Brian Krebs has more.
A set of fraudulent security certificates was identified by security researchers at Google on July 8. The certificates were issued by an authority in India, and trusted by the Microsoft Root Store. That means the bogus certificates potentially impact anyone using certain Windows applications, and especially Internet Explorer.
boot13