Category Archives: Security

aka infosec

Firefox 53.0: security updates and performance improvements

A major change to the internal workings of Firefox should result in faster web page rendering on most Windows computers. Unfortunately, that doesn’t include Windows XP: starting with version 53.0, Firefox no longer supports XP or Vista.

Firefox 53.0 also fixes at least twenty-nine security issues, so it’s a good idea to update it as soon as possible. Firefox can be rather sluggish about updating itself, but you can usually trigger an update by clicking the menu icon at the top right (three horizontal lines), then the little question mark icon, then About Firefox.

Also in the new release are some improvements to Firefox’s user interface, including two new ‘compact’ themes that free up some screen space. Site permission prompts are now somewhat easier to understand and more difficult to miss. Tab titles that are too long to fit in a tab now fade out at the end instead of being cut off and replaced by ellipses, which makes more of the truncated title visible.

Chrome 58.0.3029.81

The change log for Chrome 58.0.3029.81 is ten thousand items long, so you might want to think twice before clicking that link. It’s probably safe to say that there are no new features or major changes in the new version, since nothing of the kind is mentioned in the release announcement. This is an important update, though. That’s because it includes fixes for twenty-nine security flaws.

Chrome seems to update itself on most computers within a day or so of a new release, but you can usually trigger an update by opening the browser’s menu (the three-vertical-dots icon at the top right) and navigating to Help > About Google Chrome.

New Java version: 8 Update 131

Earlier this week Oracle posted its quarterly Critical Patch Advisory for April 2017. Most of the Oracle software affected by these updates is likely only of interest to system administrators and developers, but buried in the advisory is a list of eight security vulnerabilities in Java 8 Update 121. Although it’s not mentioned in the advisory, those Java vulnerabilities are addressed in a new version of Java: 8 Update 131.

Anyone who uses a web browser with a Java plugin enabled should install Java 8 Update 131 as soon as possible. These days, Firefox, Chrome, and other Chrome-similar browsers like Vivaldi don’t support Java at all, so that leaves Internet Explorer. You can check whether Java is enabled in Internet Explorer by pointing IE to the official Java version test page.

Even if you don’t use a browser with Java enabled, you may have a version of Java installed on your computer, in which case you should consider updating it. You can find out whether Java is installed by looking for the Java applet in the Windows Control Panel. If it’s there, Java is installed; go to the Update tab and click Update now to install the new version.

Oracle sued by the FTC

If you visit the main Java page, you may notice a large all-caps message at the very top of the page: IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE. The message links to a page that discusses an ongoing lawsuit:

The Federal Trade Commission, the nation’s consumer protection agency, has sued us for making allegedly deceptive security claims about Java SE. To settle the lawsuit, we agreed to contact you with instructions on how to protect the personal information on your computer by deleting older versions of Java SE from your computer.

This is a good reminder that Java installers tend to leave old versions and related junk on Windows computers, and that you should always check for and remove old versions of Java after you install a new version. Visit the Java uninstall page and the Java uninstall help page to get started.

Patch Tuesday for April 2017

As of this month, Microsoft is no longer publishing security bulletins. What we get instead is the Security Update Guide, an online database of Microsoft updates. Instead of a nice series of bulletins in my RSS reader, I get a single notification that contains almost nothing of use, aside from a link to the Security Update Guide. It also recommends enabling auto updates. Suffice to say that they won’t need to change the wording next month.

Security Update Guide

I’m sure it’s possible to create an online update database that works, but the Security Update Guide doesn’t qualify. In the hour I’ve spent so far trying to use it, what I usually see is an empty list. On the occasions when updates were shown, attempting to navigate from there also produced blank lists. Presumably this is happening because the site is overwhelmed, this being Patch Tuesday, but it’s also an excellent demonstration of why simpler systems are often better.

But even assuming that the current (as of 2017Apr11 13:00 PST) issues are transitory, information about the current set of updates that I did manage to see (in brief glimpses) was scattered among hundreds of items in the list. There is an always-visible link to a release notes page for the month’s updates, but sadly that page is far less useful than the summary bulletins previously provided. Aside from a few notes about special cases, all we get is this:

The April security release consists of security updates for the following software:
Internet Explorer
Microsoft Edge
Microsoft Windows
Microsoft Office and Microsoft Office Services and Web Apps
Visual Studio for Mac
.NET Framework
Silverlight
Adobe Flash Player

For the period between March’s Patch Tuesday and today, the guide shows 233 total items. To learn more, you have only one obvious option: go through every item in the list, looking for unique Knowledge Base article numbers in the More Info column, and clicking them to see the related KB article. I think I’ll leave that as an exercise for the reader. If Microsoft improves the guide sufficiently, I’ll go back to providing a more detailed breakdown of the monthly updates.

Update 2017Apr12: On Microsoft’s Security Update Guide, you’ll find a small Download link at the top right of the update list. You can use this to open the update list in Excel, which is a lot easier than using the flaky web-based tool. using this method, I was able to count the number of unique updates, and it looks like there are forty-two, with forty-four vulnerabilities addressed. CERT’s count is sixty-one.

Update 2017Apr18: Ars Technica wonders if anyone likes the new Security Update Guide.

Adobe’s Contribution

As is now almost traditional, Adobe published their own set of updates today. This month we get updates for Flash (seven issues addressed) and Acrobat/Reader (47 issues addressed).

If you still use a web browser with a Flash plugin, you should update it as soon as possible. Internet Explorer and Edge will of course get their own Flash updates via Microsoft Update, while Chrome’s built-in Flash will be updated automatically on most computers.

It’s probably a good idea to stop using LastPass right now

Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.

I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.

There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.

Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.

LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:

Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.

Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.

Firefox 52.0.1

A single security fix is apparently the sole reason Mozilla released Firefox 52.0.1 on March 17. There was no announcement from Mozilla, but as usual, CERT picked up the slack with their own announcement. The release notes for 52.0.1 point to a related security advisory.

Firefox will offer to update itself over the next few days, but you can usually trigger an update by navigating to its About dialog (hamburger menu icon > question mark icon > About Firefox).

Patch Tuesday updates from Microsoft and Adobe

It looks like Microsoft fixed the technical issues that led to February’s updates being postponed until March. Today they announced eighteen updates that address security issues in Windows, Internet Explorer, Edge, Office, Silverlight, as well as Windows Server software, including Exchange.

Critical vulnerabilities for which updates were expected in February, including an SMB flaw in Windows (CVE-2017-0016), and two others that were disclosed by Google’s Project Zero that affect the Windows GDI library (CVE-2017-0038), and Internet Explorer and Edge (CVE-2017-0037), finally get fixes today.

A total of one hundred and forty vulnerabilities are addressed by today’s updates from Microsoft. That’s higher than usual, but of course this is two months’ worth of updates.

Adobe’s contribution to the patching fun this month is new versions of Flash and Shockwave. Flash 25.0.0.127 includes fixes for seven vulnerabilities in earlier versions, while Shockwave 12.2.8.198 resolves a single security issue in versions 12.2.7.197 and earlier.

Chrome will update itself with the new version of Flash in the next day or so, but you can usually trigger the update process by navigating to its About page. Flash updates for Internet Explorer and Edge are included in this month’s updates from Microsoft.

If you’re still using a web browser with a Flash plugin, you should make sure it’s up to date as soon as possible.

Update 2017Mar17: Ars Technica points out — quite rightly — that Microsoft still owes us all an explanation for why the February updates were cancelled. My favourite quote from the Ars article: “when marketers drive communications concerning a reported zero-day exploit, customers lose.” I’d argue that when marketing folk are the only ones talking about technical issues of any kind, we should all be very worried.

Chrome 57.0.2987.98

The latest version of Chrome includes fixes for thirty-six security vulnerabilities.

There are numerous other changes in Chrome 57.0.2987.98. Google didn’t see fit to highlight any of them in the release announcement, so you’ll have to read the browser-annihilating change log to see if any of the changes are of interest. I’m not planning to do that myself, as it’s likely to take several hours, and unlikely to be particularly rewarding.

Chrome updates itself on its own mysterious schedule, but you can usually trigger an update by going to its ‘About’ page. Because this version includes security updates, you should try to update Chrome as soon as possible.

Update 2017Mar16: Ars Technica points out that Chrome 57 includes power saving features that should extend battery life for Chrome users on laptops.