It looks like the Opera team is planning to keep the classic version of Opera (version 12.x) alive and secure – at least for now.
An update to the pre-Webkit version of Opera was announced yesterday. The new version addresses two Heartbleed vulnerabilities in the update software.
Note that this update is for Windows only. Mac and Linux versions are unaffected.
There doesn’t seem to be a release notes page for this version. The main change log page doesn’t even list version 12.17.
The full extent of the damage caused by the Heartbleed vulnerability may not be known for months. New reports of compromised systems are appearing daily.
Ars Technica reports on a very unfortunate compromise of an OpenVPN installation. It’s particularly bad, because thousands of companies worldwide use VPN solutions to provide supposedly completely secure access to corporate networks from off-site. The potential for damage is enormous.
Also in Heartbleed news: apparently the recently-reported Heartbleed-based intrusion of the Canada Revenue Agency was the work of a teenaged computer science student. He’s been arrested. It seems clear that his motivation was curiosity rather than something more sinister, since he did absolutely nothing to conceal his identity.
We recently wrote about the release of Update 1 for Windows 8.1.
In that post, we noted that Microsoft was making this update mandatory for all subsequent security updates, and wondered why they would do that. Apparently we weren’t the only ones, and there was enough angry feedback that Microsoft extended the period during which Windows 8.1 systems without Update 1 could continue receiving security updates, from 30 days to 120.
But why add this kind of limitation at all?
Ars Technica may have the answer to that question. We previously wondered why Microsoft wasn’t simply labeling Update 1 as ‘Service Pack 1’, in keeping with their long-established practices. The answer is simple: Microsoft sees what Apple, Google, and other O/S developers are doing, and they want to do the same.
Anyone who owns a Mac knows that Apple’s support for previous versions of OS X is extremely limited. If you want to keep running that old version of OS X, you’re going to have problems, and you won’t have any recourse except to bite the bullet and upgrade. Often, that also means upgrading the hardware. While this is clearly a consumer-hostile stance, it’s easy to understand. Apple saves an enormous amount of money and effort that would otherwise be spent on supporting old versions, developing updates for multiple O/S versions, and so on.
It appears that Microsoft has finally started down the path away from backward-compatibility and support for old versions of Windows. This is both a good and a bad thing. Backward compatibility is why so many people still run Windows XP: why upgrade your O/S if it suits your purposes and can still be kept reasonably secure? But it’s also the source of many problems.
Moving to a more restricted update system in Windows 8.x looks like the first step in a general trend towards the less consumer-friendly model used by Apple and others. And if that’s true, we can expect more moves like this in Microsoft’s future. Which is sad, but probably inevitable.
WordPress 3.8.3 was released on April 14, and WordPress sites with Auto Updates enabled should have been silently updated. In some cases, the 3.8.3 update may not have had time to auto-update before WordPress became available yesterday.
WordPress 3.8.3 fixes a minor bug that was introduced in the previous release, 3.8.2.
WordPress 3.9 makes several significant changes to the handling of media files, and makes it a bit easier for developers to experiment with widgets.
Neither release apparently includes any security fixes.
Oracle just announced a huge batch of Critical Patch Updates, including 37 updates for Java.
The updates affect all supported versions of Java, including Java 7 (7u55) and the recently-released Java 8 (8u5).
Oracle has clarified their position on the adoption of Java 8 in a special FAQ for version 8. According to that page, “The new release of Java is first made available to developers to ensure no major problems are found before we make it available on the java.com website for end users to download.”
So until Oracle decides that Java 8 is ready for general use, the main Java download page will still offer Java 7 as the ‘most recent’ version. Java 8 can be downloaded from the Oracle Java SE downloads page.
We recommend installing the latest version of Java 7 (7u55) unless you’re interested in testing your Java applications with Java 8, in which case you should install Java 8 Update 5.
Anyone who has filed a business or personal tax return online using the Canada Revenue Agency’s web-based tools should change their CRA passwords.
According to the RCMP, about 900 Social Insurance numbers were obtained from CRA systems by unknown persons over a six hour period around April 8. The affected account holders will be contacted by the CRA via registered mail.
The CRA systems’ vulnerability has now been patched, but the CRA is advising all account holders to change their passwords.
Fallout from the Heartbleed vulnerability continues.
The list of major web sites affected by this issue (and in most cases advising their users to change their passwords) is expanding rapidly. It includes Instagram, Tumblr, DropBox, and many others.
The list of affected software is also growing.
Ars Technica’s ongoing coverage includes the disturbing news that the Heartbleed vulnerability may have been exploited months before patch and Researchers find thousands of potential targets for Heartbleed OpenSSL bug.
Security researchers at the University of Michigan scanned the Internet looking for vulnerable web sites, and found plenty, which they list in their Heartbleed Bug Health Report.
Numerous tools for detecting Heartbleed vulnerability have appeared on the web, including this one at filippo.io. Use these tools with caution, since some will almost certainly turn out to be scams of some kind.
The XKCD web comic has joined in the fun:
RIP Windows XP. At least from Microsoft’s point of view. In fact, use of the O/S continues, and will probably do so for years.
First, let’s get one thing out of the way: it’s not a good idea to keep running Windows XP. If your XP computer is never connected to the Internet, then you have much less to worry about, but continuing to use XP on a computer that is connected to the Internet is risky. Especially if you’re also still using Internet Explorer, in which case you will almost certainly end up with malware of some kind in the very near future.
Anyone who can’t or won’t upgrade from Windows XP should take certain precautions. Check out the Windows XP page on this site for some useful tips.
If you want to do the responsible thing and move away from Windows XP, what are your choices? The best option at this point is Windows 7. You can still buy Windows 7, but Microsoft says that they will stop selling it in February 2015. I’ll be updating the Windows 7 resources on this site to provide XP -> 7 migration tips in the near future.
Other possibilities – for the more adventurous – include Linux and Chrome OS. Linux comes in many flavours, but one in particular is designed to make Windows user feel at home: Zorin OS (free). Chromium OS from Google was designed to be used with its inexpensive and simple ChromeBook computers, but it can be installed on regular PC hardware. It’s free, but probably only useful for users with basic requirements. It runs on top of Linux.
There are loads of articles on the web about the ‘XPocalypse’ – as it’s come to be known. Ars Technica has this: ‘The XPocalypse is upon us: Windows XP support has ended‘.
The first update for Windows 8.1 is available for downloading from Windows Update. As previously discussed, this update consists mostly of changes to the user interface that should make keyboard/mouse (non-touch) users more comfortable with the O/S. There’s still no actual Start menu, although Microsoft is planning to return that much-missed feature in a future update.
Of particular note is the fact that this update is necessary for access to future updates, starting in May 2014.
Update 2014Apr09: Apparently Microsoft has pulled Windows 8.1 Update 1 from its servers, saying that the update is causing problems with the update system itself, in some cases preventing updated systems from checking for future updates.
A bug in the OpenSSL cryptography software running on most of the world’s servers has opened a window into random server data that was never meant to be exposed.
This newly-discovered vulnerability – now known as ‘Heartbleed’ – has apparently existed for at least two years. It’s unclear whether the bug was known to (and used by) nefarious persons to gather supposedly secure information during that time.
Patches for affected operating systems and other software that uses OpenSSL were made available almost immediately after the bug was discovered by researchers. Anyone running a Linux server is strongly advised to update the OpenSSL library ASAP.
Services that use OpenSSL to provide security are separately assessing the risk to their customers and issuing their own advisories and recommendations. For instance, Yahoo Mail is known to be vulnerable. Mojang, makers of the popular game Minecraft, advise all players to change their passwords. Ars Technica is also advising all its users to change their passwords.
This bug is so important that it has its own web page, which provides an overview of the issue and makes general recommendations.
Update 2014Apr10: The LastPass web site has some helpful information about major sites that have been affected by Heartbleed and recommends changing your passwords for those sites. They also provide a site check that allows you to determine whether a particular site was affected by Heartbleed.
boot13