The announcement for Chrome 48.0.2564.103 doesn’t shed any light on what’s new, but it does point to the (mercifully brief) change log, which lists about twenty-seven changes. None of the changes are particularly noteworthy, but several address crashing problems.
Chrome typically updates itself within a day of any new release.
There don’t seem to be any security fixes in the latest version of the Chrome browser, 48.0.2564.97.
The announcement doesn’t include any details to speak of. The full change log lists sixty-eight changes, most of which are minor bug fixes. A few of the changes are related to stability and performance.
There’s also a related post on the Chrome blog. Most of that post is about new features related to mobile users, so it may not be of much interest.
On most computers, Chrome will silently update itself to the new version.
According to the announcement, Chrome 48.0.2564.82 includes 37 security fixes, as well as an unstated number of other fixes and improvements. Looking at the full log (basic list view), I count 8044 separate changes.
A few minor bug fixes prompted the release of Chrome 47.0.2526.111 on January 13. None of the fixes are related to security. In most cases, Chrome will update itself automatically to the new version.
The change log has all the technical details, and since there are relatively few changes, the log probably won’t crash your browser when you try to look at it. You can also view the changes in the log in an easier to read format.
Chrome is a pretty good browser. I recommend it with few reservations. I even use it myself. But my use of Chrome is limited to a few sites that just work better in Chrome than in Firefox – at least for me.
The main reason I don’t use Chrome for most of my browsing, despite the fact that I really don’t want to use Firefox either, is the lack of a sidebar. No feature is more frequently requested for Chrome. And yet Google has resisted adding one.
Why is a sidebar such a big deal? Like many other people, I use the sidebar to show my bookmarks, in a nested tree format. This is an extremely efficient way to manage a lot of bookmarks. There’s just not enough room in the horizontal toolbar to do this; I can add folders and subfolders to the toolbar to create a drop-down menu effect, but I want the bookmarks I’m currently working with to stay on the screen and not disappear when I click one.
And I’m not the only one. Just look at the comments and votes for this bug in Chrome’s bug tracking system, and in this post in the Chrome support forum.
If you look at that bug, you’ll see that Google started the work to add a sidebar. But they must have run into a big problem, because today the bug was updated to the status ‘WON’T FIX’. That means we are unlikely to ever see a sidebar in Chrome. The update provides very little explanation, and points to the general Chrome FAQ. Presumably what they are referring to is the word ‘simplicity’ in the second point.
And so concludes another chapter in my love-hate relationship with Google. I think Google is terrific, and I depend on their services, but this is a huge disappointment.
Update: the WebKit-based Opera browser also doesn’t include a useful bookmark sidebar, but I’ve just discovered a sidebar extension called V7 Bookmarks, and so far I’m loving it. It looks like Opera will be my new main browser when I finally can’t stand Firefox’s bloat and instability any more.
Two security issues were fixed in the newest version of Chrome, 47.0.2526.106. The full change log is mercifully light for this update, and shows that this is a bug fix release.
Adobe’s plans to phase out Flash continue. Early in 2016, the software used to create Flash video will be renamed from Flash Professional to Adobe Animate CC. The new software will still be able to produce Flash videos, but it will focus more on HTML5 video.
The ubiquitous and notoriously insecure Flash player – the one that lets you play Flash video in your browser – will continue to be developed and supported by Adobe for at least the next five (and maybe ten) years. But Adobe is making it easier for video producers to move away from Flash and toward HTML5.
Meanwhile, Google has announced that they will start blocking Flash-based advertisements, which should provide the necessary motivation for advertisers to move away from Flash.
The newest version of Google’s web browser Chrome includes fixes for at least seven security issues, as well as the latest version of its embedded Flash player.
The change log is a manageable size this time, and reveals that version 47.0.2526.80 fixes a variety of other bugs, but doesn’t add any new features.
You may have noticed that web sites everywhere are moving toward secure browsing. There are a couple of reasons for this. First, Ed Snowden confirmed our fears, revealing that the NSA and partner organizations are snooping on everything we do. Second, Google is pushing for encryption everywhere by penalizing sites that don’t offer secure browsing.
Boot13 may now be browsed securely, by pointing your web browser to https://boot13.com.
A big shout out and thank-you to Let’s Encrypt, an organization that provides free security certificates and related tools to anyone who operates a site or service that can use them. The certificate we’re using on Boot13 was provided by Let’s Encrypt.
PCs from Dell were found to include support software and related security certificates that potentially expose users to various threats. Dell moved quickly to provide fixes, but many systems remain vulnerable. As if we needed more convincing, this is yet another reason to remove manufacturer-installed software from new PCs as soon as possible after purchase.
A hacking tool called KeeFarce looks for KeePass password databases, attempts to decrypt the stored passwords, and makes the decrypted passwords available to intruders. For this to work, the target computer must already be compromised, and the KeePass database left unlocked. According to researchers, the technique could be used on any password management software. Please, if you use password management software, remember to leave it locked, even if you’re the only user. Why make things any easier for intruders?
Anti-adblocking service provider PageFair was hacked on Halloween, and for a couple of hours, visitors to about 500 web sites were shown fake Flash update warnings that actually installed malware. PageFair fixed the problem relatively quickly and apologized for the breach.
The web site for the popular vBulletin forum software was hacked and user account information stolen. Site admins reset all user passwords and warned users, but have yet to address claims that the attackers used a long-standing vulnerability in the vBulletin software itself to achieve the intrusion. If true, anyone who manages a vBulletin site should immediately install the patch, which was made available after the vBulletin site hack.
With all the furor over Windows 10’s privacy issues, it’s important to recognize that modern phones have all the same issues. Anyone who uses a smartphone has observed that most apps ask for access to private information when they are installed. Generally, user choices are limited to agreeing or cancelling installation. A new study looks at popular iOS and Android apps, the user information they collect, and where they send it. The results are about as expected, and the authors conclude, “The results of this study point out that the current permissions systems on iOS and Android are limited in how comprehensively they inform users about the degree of data sharing that occurs.” No kidding.
A nasty new type of Android malware has been discovered. Researchers say that the perpetrators download legitimate Android apps, repackage them with malware, then make the apps available on third-party sites. Once installed, the infected apps allow the malware to install itself with root access. So far, the malware only seems to be used to display ads, but with root access, there’s no limit to the potential damage. Worse still, it’s extremely difficult to remove the malware, and in many cases it’s easier to simply buy a new phone.
Ransomware was in the news a lot in November. SANS reported seeing a malware spam campaign that impersonates domain registrars, tricking recipients into clicking email links that install the ransomware Cryptowall. Ars Technica reports on changes in the latest version of Cryptowall, and a new ransomware player called Chimera. Brian Krebs reports on new ransomware that targets and encrypts web sites. Luckily, the encryption applied by that particular ransomware is relatively easy to reverse.
Several web sites and services were hit with Distributed Denial of Service (DDoS) attacks in November. In some cases, the attackers demanded ransom money to stop the attack. ProtonMail, provider of end-to-end encrypted email services (and used by yours truly) was hit, and the attacks didn’t stop even when the ransom was paid.
Security certificates generated using the SHA1 algorithm are nearing the end of their usefulness. Plans are already underway to stop providing them and stop supporting them in web browsers and other software. SHA1 is being phased out in favour of the much more secure SHA2 algorithm.
A rash of vulnerabilities in popular WordPress plugins, including the excellent BPS Security plugin, came to light in November. WordPress site operators are strongly encouraged to either enable auto-updates or configure their sites to send alerts when new plugin versions are detected.
An app called InstaAgent was pulled from the Apple and Google app stores when it was discovered that the app was transmitting Instagram userids and passwords to a server controlled by the app’s developer. It’s not clear how the app managed to get past the quality controls in place for both stores.
Security researchers discovered a bizarre new form of privacy invasion that uses inaudible sound – generated by advertisements on TV and in browsers – to track user behaviour. As weird as it seems, this technology is allowing true Cross Device Tracking (CDT).
On a brighter note, Google is now detecting web sites that appear to use social engineering techniques to trick users. Chrome’s Safe Browsing feature will now show a warning when you are about to visit a page Google thinks is using these devious methods.
The whole-disk encryption technology TrueCrypt was previously reported as vulnerable, and a new study has confirmed those vulnerabilities. The study also found that if TrueCrypt is used on unmounted drives, it is perfectly secure, but what use is a hard disk if it isn’t connected to anything? TrueCrypt users are still anxiously awaiting new encryption technologies like VeraCrypt.
Security researchers discovered a critical flaw in many Virtual Private Network (VPN) services. VPN software and services are used by many torrent users to protect their identity. The flaw allows a malicious person to obtain the true IP address of a VPN user.
The Readers Digest web site was infected with a variant of the Angler malware and proceeded to infect unpatched visitor computers for about a week before site operators took action. Thousands of Windows computers may have been infected before the site was finally cleaned up.
boot13