Category Archives: Firefox

Firefox, Tools

Easily view pages with default colours and fonts in Firefox

Leave a comment

I’m a fan of Firefox’s ‘Reader Mode’ feature, because it allows me to read web pages that use light text on dark backgrounds. My eyes have always been pretty good, but in recent years I’ve noticed that reading white text on a black background gives me blurry vision within a few minutes. All I have to do is click the Reader button, and I see a nice, clean view of the page, with black text on a white background.

Unfortunately, Firefox’s Reader mode is only available for some pages. I’ve yet to discern a pattern. For example, the home page of this site (boot13) doesn’t show the Reader button, but navigating to an individual post, or to one of the post archive pages or category pages does.

Luckily, I stumbled across a Firefox add-on that does what I want: Page Colors & Fonts Buttons. There’s not much to the add-on; it simply adds two buttons to the toolbar: one to toggle the default colours off and on, and another to toggle the default fonts off and on. It doesn’t give you the fancy view you get with Reader mode, but it does work on any page.

Any Firefox user who’s ever had trouble reading text on a web page should install this add-on. Highly recommended.

Firefox, Patches and updates, Security

Firefox 44.0 released

Leave a comment

With traditional (aka standard, normal, common, sensible) software version numbering, moving from version 43 to version 44 would normally signal big changes and (hopefully) improvements. This is no longer the case with Mozilla’s version numbering scheme for Firefox.

Case in point is Firefox 44.0, made available by Mozilla on January 26. According to the release notes, there are no major new features. A few bugs were fixed, including about twelve security issues. Many of the changes are related to encryption and video handling. Several improvements to the developer tools also made it into this release.

In other words, there’s really nothing in this release that makes it worthy of a major new version number (44). How is Mozilla making these decisions? Your guess is as good as mine.

Meanwhile, of course – and despite assurances from Mozilla – this release, somehow worthy of a major new version number, was not even announced by Mozilla. At least not anywhere I looked. I discoverd the new version because of (yet again) a post on the US-CERT site.

Adobe, Chrome, Edge, Firefox, Flash, Internet Explorer, Patches and updates, Security

More Flash updates

Leave a comment

The latest version of Flash is 20.0.0.286, for most browsers. Microsoft Edge and Internet Explorer on newer versions of Windows are apparently still stuck at Flash 20.0.0.272.

Sadly, the information on the Adobe site related to these updates is inconsistent, confusing, or just missing.

The About Flash page doesn’t seem to agree with the announcement page. The former shows “Internet Explorer (embedded – Windows 8.x) – ActiveX 20.0.0.286”, while the latter shows “Flash Player 20 for Internet Explorer on Windows 8.1: 20.0.0.272”.

The Flash runtime announcement says “Security update details can be found here: Security Bulletin (APSB16-01)”. But the APSB16-01 bulletin is for the previous Flash updates. The linked URL is also wrong; it points to an even older bulletin: APSB15-32. And to top it off, the security bulletin that should exist (APSB16-02) for this update currently generates an error.

Hopefully Adobe will fix this mess ASAP.

Meanwhile, although the announcement doesn’t mention any security fixes in the new versions, it’s safe to assume they exist, so you should update Flash in any browser where it’s enabled.

As usual, Internet Explorer on new versions of Windows will receive these updates via Windows Update, and Chrome will get its new Flash automatically.

Update 2016Feb02: I reported the announcement and bulletin problems (noted above) to the author of the announcement. He replied that the About page would be fixed, and that he had fixed the link to the bulletin on the announcement page. Unfortunately, that link now goes to the bulletin for the previous Flash release. The author claims that bulletin still applies, but it really doesn’t, since it recommends the previous version of Flash.

Update 2016Feb04: According to the author of the announcement, there were effectively no changes in this Flash update. Certainly there were no security fixes. A link to the previous security bulletin was included simply because it was the most recent bulletin. The link text will be changed to make this more clear.

Firefox, Patches and updates, Security

Firefox 43.0.4 re-enables SHA1 certificates

Leave a comment

Well, that didn’t last long. Firefox 43.0.3 disabled SHA1 security certificates, but that caused a lot of problems for some users, and Mozilla has rolled back the change in the new Firefox 43.0.4. Most users won’t notice the difference, but if you started having problems browsing secure web sites after installing 43.0.3, that issue should be resolved with 43.0.4.

Firefox 43.0.4 also fixes a crashing bug affecting some users, and at least one other change is documented in the release notes.

Incidentally, there wasn’t a proper announcement for the new version. The closest we got was a post on the Mozilla security blog about the SHA1 reversal, which doesn’t mention Firefox version identifiers at all.

Firefox, Patches and updates, Security

Firefox 43.0.2

Leave a comment

Firefox 43.0.2 was released on December 22, with no announcement at all. I learned about the new version when my copy of Firefox offered to update itself. The release notes say only that the new version includes a new security certificate for Windows. The notes also mention “Various stability and security fixes”, but the linked Security Advisories page lists security fixes for all of Firefox 43. Presumably at least one security issue was fixed in 43.0.2, but it’s not clear.

Firefox, Flash, Patches and updates

Firefox 43.0.1

Leave a comment

A single minor change seems to be the only reason for the Firefox 43.0.1 release yesterday. The release notes describe the change as preparation “to use SHA-256 signing certificate for Windows builds”. This does not appear to be a security-related change, so there’s no hurry to update.

Mozilla has improved the look of Firefox’s release notes pages, but there has been no functional improvement. For instance, while there is a link to the ‘complete list of changes‘, that link goes to the Bugzilla bug tracking system, which is not easy to parse for non-technical users. Worse, it shows all changes in Firefox 43, not just 43.0.1, and there’s no way to search for changes to 43.0.1 only.

As usual, there was no proper release announcement for this version. There wasn’t even a vaguely-corresponding post on the Mozilla blog.

On my test computer, when the Firefox 43.0.1 update finished installing, Firefox displayed a web page with a brief video and an underlying announcement, about Firefox 43’s new privacy features, and ‘new’ Pocket integration. Which seems weird, because Pocket integration was also announced for Firefox 38.0.5 in June.

In other Firefox-related news, Mozilla recently pointed to an announcement from Netflix in a blog post titled ‘Firefox Users Can Now Watch Netflix HTML5 Video on Windows‘. This is an important change, because it’s no longer necessary for Firefox users to install and use Flash to watch Netflix content.

Firefox, Patches and updates

64 bit Firefox finally arrives

1 Comment

Something I neglected to mention about the recent Firefox 43 release: there is finally an official, 64-bit version of the browser. There have been unofficial and/or experimental 64-bit versions in the past, but they were abandoned for various reasons and never made it to prime time.

Those of you with modern computers who are running a 64-bit operating system have the option of installing the 64 bit Firefox or sticking with the traditional 32-bit version. The two versions look and act exactly the same, and I don’t think it’s likely that any particular advantage will be gained by switching to the 64-bit version. However, some people (you know who you are) are excited about this long-promised Firefox version.

Firefox, Patches and updates, Privacy, Security

Firefox 42 improves private browsing, fixes numerous bugs

Leave a comment

Mozilla seems determined to keep us guessing with new versions of Firefox. New versions that are not assigned a major new version number (e.g. 41, 42) are not announced in any way. When a new version is (apparently arbitrarily) assigned a major new version number, Mozilla publishes a post on the Mozilla blog. This post never includes any mention of the new version identifier, and typically doesn’t even say that there’s a new version.

For example, the post associated with Firefox 42 says this: “We’re releasing a powerful new feature in Firefox Private Browsing called Tracking Protection” and “We hope you enjoy the new Firefox!” What new version? When will it be released? We’re left guessing the answers to these rather obvious questions.

According to the release notes for Firefox 42, it was released on November 3. The Mozilla blog post describes changes to Firefox’s Private Browsing mode, including the new Tracking Protection, which “actively blocks content like ads, analytics trackers and social share buttons that may record your behavior without your knowledge across sites.”

Firefox 42 adds a small speaker icon that appears next to the caption for any tab that’s currently playing audio. You can mute a tab’s audio by clicking the speaker icon. The Login Manager has been improved in several ways. Performance has also been beefed up for sites that perform a lot of restyling. HTML5 support was improved.

Firefox 42 includes fixes for at least eighteen security bugs, according to the Security Advisories page. Recommendation: update Firefox to version 42 as soon as possible.

Adobe, Adware, Android, Apple, Firefox, Flash, Google, Internet crime, Java, Malware, Mobile, Security, Silverlight, WordPress and other CMS

October Security Roundup

Leave a comment

You probably shouldn’t rely on the security of your encrypted email. Even if you’re using current encryption technologies, certain conditions may arise during transit that cause your message to be transmitted in plain text.

There’s a well-reasoned response to a common question about the responsibility of Certificate Authorities over on the Let’s Encrypt blog. These fine folks will soon be providing free HTTPS certificates to the world, so they’ve been answering a lot of questions about how their service will work.

There’s going to be a minor apocalypse, starting January 1, 2016. On that date, Certificate Authorities will stop issuing certificates that use SHA1 encryption. SHA1 is now considered too weak for use, and is being phased out in favour of SHA2, which is much stronger. Just one problem: people stuck using older browser software and devices will lose their ability to access secure web sites and use those devices. There’s more technical nitty-gritty over at Ars Technica.

Symantec hasn’t done enough to clean up its Certificate Authority activities, according to Google. This follows the discovery that Symantec employees were issuing unauthorized certificates. Google has warned Symantec to provide a proper accounting of its CA activities or face the consequences.

A critical vulnerability in the blogging platform Joomla was discovered in October. The bug exists in all versions of Joomla from 3.2 onward. A patch was developed and made available, and anyone who manages a Joomla 3.x -based site is strongly advised to install the patched version (3.4.5) as soon as possible.

It’s increasingly dangerous to be a computer security researcher. New agreements could even make the work illegal in some regions.

Flaws in many self-encrypting external hard drives from Western Digital mean their encryption can be bypassed, according to researchers.

Google made it easier to determine why a site is flagged as unsafe, adding a Safe Browsing Site Status feature to their Transparency Report tools.

Mozilla is following the lead of Google and Microsoft, and plans to all but eliminate support for binary plugins in Firefox by the end of 2016. Binary browser plugins for Java, Flash, and Silverlight provide convenience but are a never-ending security headache. There’s one exception: Mozilla will continue to support Flash as a Firefox plugin for the foreseeable future.

The FBI teamed up with security vendors to take down another botnet in October. The Dridex botnet mainly targeted banking and corporate institutions, gathering private data and uploading it to control servers.

Cisco researchers, working with Limestone Networks, disrupted a lucrative ransomware operation in October.

A stash of thirteen million user names and plain text passwords was recently obtained by a security researcher. The records were traced to 000Webhost, an Internet services provider.

The Patreon funding web site was breached, and private information about subscribers, including encrypted passwords and donation records, was published online. Source code was also stolen, which may make decrypting the passwords much easier.

Researchers discovered numerous iPhone applications that collect and transmit private user information, in violation of Apple’s privacy policies. These apps apparently made it into the App Store because of a loophole in the validation process.

87% of Android-based devices are vulnerable to security exploits. Google develops Android updates quickly enough, but phone makers are typically very slow to make updates available to users.

New Android vulnerabilities, dubbed ‘Stagefright 2.0’ by researchers, were announced in early October. As many as a billion Android devices are vulnerable, and although patches were made available by Google, they may take weeks or months to find their way to individual devices.

A malicious Android adware campaign tricks unwary users into installing apps that appear to be from trusted vendors. These apps use slightly-modified icons of legitimate apps to fool users.