Category Archives: Security

aka infosec

Firefox 57: faster and better

I’ve been using Firefox 57 for a few days now, since it was released on November 14. So far, I like what I see. Mozilla is hyping how much faster the browser is, and while it doesn’t feel a lot faster, it is indeed somewhat snappier. Given that Firefox had been getting noticeably sluggish in recent months, this is very welcome.

There are some major changes in Firefox 57: the user interface (UI) has had a major overhaul, using a new set of design guidelines called Photon. Most user interface elements will look familiar, but slightly different. Photon’s main objectives are to improve performance while making the interface consistent across various platforms. You’ll notice new icons throughout (including the main application icon), new positioning of interface elements, new animations, new appearance and behaviour for tabs, cleaned up menus, and new page loading animation.

The ‘new tab’ page has also been improved, and is more customizable. There are some new search engines to choose from, and Google is now the default for search. The on-page search feature now includes an option to highlight all matches on a page.

Numerous other changes in Firefox 57 were made to improve performance, including a new CSS engine called Stylo. CSS stands for Cascading Style Sheets, and it’s a set of standards used by web developers to define the style and layout of web sites. Stylo is faster than its predecessors because it uses available processing power more sensibly.

The upgrade process for Firefox 57 is no different than for earlier versions, and you don’t need to do anything special. As always, your existing Firefox profile (which contains your settings, bookmarks, login credentials, history, etc.) will be used by the new version. You may notice that your toolbar has been rearranged slightly, but that’s easy to fix using the Customize feature. You may also see blank spacer elements on either side of the address box, but these can be removed.

I noticed one possible problem: the contents of the address bar drop-down list occupy a narrow section in the middle of the list. The width of that section matches the width of the address box itself. This may have been done intentionally, but in my opinion it looks weird and severely limits the displayable length of addresses in the list.

With version 57, Firefox is no longer quite as sensitive about the use of Windows accessibility features. Previously, running the Windows On-Screen Keyboard would trigger Firefox to disable multi-process mode, resulting in reduced performance. That no longer happens in Firefox 57.

Firefox 57 also includes fixes for fifteen security vulnerabilities, so even if you’re not sure about the new user interface, you should really go and ahead and upgrade.

All in all, it’s good news for Firefox fans: Firefox 57 is faster, and has a cleaner, tighter, and more consistent user interface. I don’t see any reason to hold off on upgrading.

Firefox 57 may even be good enough to slow the recent wave of users, fed up with Firefox’s increasing bloat and decreasing performance, and feeling abandoned after Mozilla recently orphaned thousands of useful add-ons, who have been switching to Chrome and other browsers.

November updates for Adobe products

Adobe logoYesterday, Adobe announced updates for several of its main products, including Flash, Acrobat Reader, and Shockwave.

Flash 27.0.0.187 addresses five critical vulnerabilities in earlier versions. You can download the new desktop version from the main Flash download page. That page usually offers to install additional software, which you should avoid. Chrome will as usual update itself with the new version, and both Internet Explorer and Edge will get their own updates via Windows Update.

Acrobat Reader 11.0.23 includes fixes for a whopping sixty-two vulnerabilities, all flagged as critical, in earlier versions. Download the full installer from the Acrobat Reader Download Center.

Shockwave Player 12.3.1.201 addresses a single critical security issue in earlier versions. Download the new version from the Adobe Shockwave Player Download Center.

If you use Flash, Reader or Shockwave to view content from untrusted sources, or if you use a web browser with add-ons enabled for any of these technologies, you should update affected systems immediately.

Patch Tuesday for November 2017

According to Microsoft’s announcement, the November updates include patches for Internet Explorer, Edge, Windows, Office, and .NET. As usual, you have to dig into the rather awkward Security Update Guide to find additional details.

My analysis of the SUG reveals that there are fifty-three bulletins, addressing fifty-four vulnerabilities across the usual range of products. Sixteen of the vulnerabilities are flagged Critical.

If you’re interested in performing your own analysis, I strongly suggest avoiding the cumbersome SUG interface. Instead, locate the almost hidden ‘Download’ link at the top right of the updates grid and click that to open the data in Excel. From there you can use Excel’s filtering tools to wrestle the update information into more manageable lists.

KRACK Wi-Fi vulnerability: what you need to know

Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.

The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.

Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.

The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.

There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.

Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.

Use caution with unpatched devices

If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.

IoT devices may remain vulnerable forever

‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.

Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.

References

Java 8 Update 151: twenty-two security fixes

Although it’s rapidly losing its relevance, Java still poses a security risk for any computer on which it’s installed. Java’s dangers are significantly lower now than in the past, because of all the major browsers, only Internet Explorer still runs Java code. All the others have stopped supporting Java completely.

Those of you still using Java, especially in Internet Explorer, should install Java 8 Update 151, because it includes fixes for twenty-two security vulnerabilities.

The easiest way to update Java is to visit the official Verify Java Version page, which will provide an update link if you’re running an out of date version.

References:

Chrome 62.0.3202.62: thirty-five security fixes

If you want to test your web browser’s performance and memory management, just point it to the full change log for Chrome 62.0.3202.62. It’s a behemoth, documenting over ten thousand distinct changes.

Given the number of changes in Chrome 62.0.3202.62, I decided to skip reading the log and trust that Google would point out anything interesting in the release announcement.

The announcement for Chrome 62.0.3202.62 documents thirty-five fixes for security vulnerabilities, so clearly this is an important update. As for the other changes, Google says only this:

Chrome 62.0.3202.62 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 62.

Chrome usually updates itself within a few days of a new release. You can trigger an update by navigating to the About page: click the three-vertical-dots menu button, then Help > About Google Chrome.

Flash 27.0.0.170 fixes one security issue

Adobe logoAnd just like that, we get another version of Flash, this one addressing a single security vulnerability. From the security bulletin: “Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.”

Anyone still using Flash in their web browser should install the new version as soon as possible. You can check which version you’re running and download the new one at the Flash version checker and download page.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.