Microsoft steps in a huge steaming pile of privacy issues

March 22, 2014 jrivett Leave a comment

In yet another of the endless examples of why companies shouldn’t let lawyers make decisions, Microsoft has undone whatever goodwill they might have had from customers who value the privacy of their email.

A Microsoft employee apparently leaked Windows 8 information to a reporter. In typical big-corporation fashion, this leak caused the software giant to go into full-on freakout mode. Ignoring common sense entirely, they dug into the reporter’s Hotmail account, looking for clues to the identity of the leaker. Apparently the lawyers were consulted, and the lawyers said, “Go right ahead and look! The Terms of Service for Hotmail mean the law is on our side.” And they’re right. But that doesn’t mean it was a good idea. Now that this incident has come to light, the public backlash is just beginning for Microsoft.

Of course, this problem is not limited to Microsoft. Almost all email services operate this way. Whoever provides the service can access any part of it at any time, even if it’s encrypted as part of the service. The only way to get around this exposure while using a typical email service is to add your own encryption – on both ends of every email exchange – commonly referred to as end-to-end encryption. Lavabit was one of the few email services to offer this kind of security, and they closed down recently rather than comply with access requests from the NSA.

Update 2014Mar29: Microsoft, in damage control mode, has made changes to its privacy policies. A statement by Microsoft General Counsel Brad Smith on the ‘Microsoft on the Issues’ blog makes it clear that they will no longer look at customer data in situations like this. Smith also states that Microsoft will work with the EFF and other digital rights organizations to help avoid problems like this in the future.

Opera, Patches and updates

Opera 20 and subsequent updates

March 21, 2014 jrivett Leave a comment

Ah, the perils of switching RSS feed clients. In the process of moving from The Old Reader to Feedly, I apparently missed one feed: Opera Desktop. Mea culpa.

Because of my blunder, I also missed the release of version 20 of Opera’s Webkit-based browser, as well as two subsequent updates. Version 20 was released on March 4, 20.0.1387.77 was released on March 13, and 20.0.1387.82 was released on March 20.

Version 20 adds more customization of the Speed Dial page, drag and drop between Speed Dial and the bookmark toolbar, and several other cosmetic changes. There’s still no bookmark sidebar.

The 20.0.1387.77 and 20.0.1387.82 updates fix some issues related to stability.

Malware, Microsoft, Patches and updates, Security, Windows XP

MSRT will still be updated for Windows XP after April 8

March 21, 2014 jrivett Leave a comment

Microsoft’s Malicious Software Removal Tool (MSRT) checks for and attempts to remove known malware from Windows computers during the Windows Update process.

Previously, it was assumed that MSRT would stop being updated for Windows XP once support for that O/S ends in April. A few weeks ago, Microsoft confirmed that it will continue to update MSRT on Windows XP computers until July 15, 2015.

This is good news for anyone who will still be running XP after April, but it’s important to note that MSRT is not a substitute for a full anti-malware solution, and should not be seen as protection against the flood of malware, targeted at Windows XP computers, expected to appear after April 8.

Firefox

Firefox plugins are being phased out

March 20, 2014 jrivett Leave a comment

Recently, Mozilla announced that they plan to gradually eliminate plugins from Firefox.

Plugins are used in Firefox to allow certain types of content to be embedded in a web page. Common plugins are those for Flash, Adobe Reader (PDFs), Java, Silverlight and Shockwave. According to Mozilla, plugins are often a source of performance and security issues, and they are being made increasingly redundant, given new technologies like HTML5.

It’s important to distinguish between Firefox plugins and Firefox extensions. Extensions provide new functionality to the browser, and include SEO tools, debugging tools, media helpers, interface customizations, and so on. Mozilla has no plans to phase out extensions, only plugins. A post over at ColonelPanic provides additional information about the distinction between plugins and extensions.

For now, the main thing you need to know about plugins in Firefox is that they can now be configured to remain inactive until explicitly activated by the user. I’ve changed all my Firefox plugins to ‘Ask to activate’ and so far it’s working well. It means there’s an extra step whenever I want to display embedded content, but it also means that content doesn’t do anything automatically, and I always know exactly what’s generating that content (Java, Flash, etc.) I highly recommend doing this. From the Firefox menu, select ‘Add-ons’ to configure your plugins.

Firefox, Patches and updates, Security

Firefox 28 released

March 19, 2014 jrivett Leave a comment

There was yet another stealth release of Firefox yesterday. Version 28 was not announced on any of the myriad Mozilla blogs. I only discovered it because of release announcements on CERT and SANS blogs.

According to SANS, at least some of the security fixes in Firefox 28 are the result of successful hacks at the recent Pwn2Own contest. There’s a full list of the security fixes in this version at the top of the ‘Known Vulnerabilities‘ (aka ‘Security Advisories for Firefox’) page for Firefox.

The official release notes page for version 28 shows no improvement over previous release notes pages. But it does list the changes in the latest version, none of which are worthy of note.

Aside: I recently submitted two bugs to the Mozilla bug tracking system for Firefox. Bug #973330 is about the lack of proper announcements for new Firefox versions. Bug #973335 covers the many issues with the release notes pages for Firefox. So far the responses from Mozilla workers have not been encouraging.

Chrome, Google, Patches and updates, Security

Chrome 33.0.1750.154 fixes Pwn2Own vulnerabilities

March 15, 2014 jrivett Leave a comment

The recent Pwn2Own contest revealed security vulnerabilities in several software products, including Google Chrome.

Within hours, Google corrected the flaws in Chrome and released new versions. The new Windows version is 33.0.1750.154. The official announcement provides additional details.

Adobe, Flash, Patches and updates, Security

Flash 12.0.0.77 released

March 12, 2014 jrivett Leave a comment

Adobe announced a new version of Flash yesterday. Version 12.0.0.77 fixes two security vulnerabilities flagged by Adobe as Important.

As usual, Google Chrome will update itself with the latest version of Flash, while Internet Explorer 10 and 11 on Windows 8 and 8.1 will receive the latest Flash updates via Windows Update.

You can check the version of Flash currently installed on your computer (or more accurately, in your browser), by visiting the About Adobe Flash page, and you can download the new version from the Player Download Center (warning: this page will install additional software by default; make sure to uncheck any optional software checkboxes).

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Microsoft updates for March 2014

March 12, 2014 jrivett Leave a comment

Yesterday was Patch Tuesday, and Microsoft released five updates for Windows, Internet Explorer, and Silverlight. Two of the updates are flagged as Critical. The official summary bulletin has all the technical details, and a post on the MSRC blog has a less technical breakdown of the updates.

As expected, one of this month’s updates fixes the recently-reported zero-day vulnerability in Internet Explorer.

Chrome, Google, Patches and updates, Security

Chrome 33.0.1750.149 fixes several vulnerabilities

March 11, 2014 jrivett Leave a comment

Another new version of Google’s web browser was announced today.

Version 33.0.1750.149 fixes seven security vulnerabilities, as well as some other bugs and stability issues.

Microsoft, Security, Windows XP

Ouch! newsletter: The End of Windows XP

March 8, 2014 jrivett Leave a comment

This month’s Ouch! (PDF) provides a useful overview of what you need to know if you’re still using Windows XP.

The SANS Ouch! newsletter is aimed at users, so it may not be useful for IT professionals. On the other hand, it’s a great place to send users looking for information adapted to their level of understanding.

boot13