Google released another new version of Chrome on Monday. Version 29.0.1547.66 fixes a minor issue with Sync and includes an update for the embedded Flash player. Oddly, Flash seems to have rolled back to an earlier version, from 11.8.800.115 to 11.8.800.97. There has been no explanation from Google so far.
Java 6 being targeted more frequently
Anyone still using Java 6 should upgrade to Java 7 as soon as possible. Oracle stopped making security fixes for Java 6 available to the public in February 2013, and exploits targeting unpatched vulnerabilities in Java 6 are finding their way into hacking toolkits.
Oracle has probably developed patches for recent vulnerabilities in Java 6, but these are only officially available to corporate clients with expensive support contracts. While I understand Oracle’s motivation for this, I disagree with their decision. When Oracle develops a security patch, it should be made available to everyone.
Reminder: latest Java still vulnerable
The most up to date version of Java (7 Update 25) is vulnerable to an exploit reported to Oracle on 2013Jul18 by Adam Gowdiak of Security Explorations.
This is just the latest version-specific vulnerability in a long series of related vulnerabilities that are all based on a fundamental weakness of Java that has existed for over ten years and has yet to be properly addressed.
Oracle has assured Mr. Gowdiak that this vulnerability will be eliminated in Java 7 Update 40, to be released in September 2013. The good news is that no active exploits for this vulnerability have yet been discovered.
As always, we recommend that you use Java with caution. Disabling Java in your web browser can decrease your exposure to Java-based attacks.
Update 2013Sep11: Java 7 update 40 was released yesterday, but there do not appear to be any specific fixes for this or any other security vulnerability. Some security-related changes were made in 7u40, and those changes may mitigate the vulnerability reported by Mr. Gowdiak. We will await an update from Mr. Gowdiak for confirmation either way.
Update 2013Oct16: Mr. Gowdiak has confirmed that this issue was resolved in Java 7 Update 40.
Google Chrome 29.0.1547.62 released
Another new version of Google’s web browser was announced yesterday. The new version fixes a Google Docs printing bug. Since no security-related bugs were fixed in this version, this is not an urgent upgrade.
Opera version 16 released
The new WebKit-based Opera browser has been updated to version 16. The browser still looks and acts almost exactly like Google Chrome, and as such there’s not much to recommend it. Many features that worked well in the non-WebKit version of the browser – still available as version 12 – are missing from version 16. That includes the auto-update feature. In fact, there isn’t even a link on the About page or in the browser’s menus that points to a download page. My advice is to give this browser a pass. If you still like and use the old Opera 12 browser, keep your fingers crossed that it will continue to receive updates.
Mac Mini: first impressions
I’ve been using the Mac for a little over a week now, and in general, it’s pretty slick. Before Apple made the move to a Linux-based operating system with OSX, I had little use for Macs. The UI was clunky at best, and the inability to multitask was a show-stopper.
Disclaimer: I access the Mac via a KVM switch, using a multi-button mouse and a professional Windows keyboard with mechanical switches. But more often, I use the Mac through a VNC connection from my main Windows PC.
Keyboard issues
Because I’m not using a Mac keyboard, I had to figure out how to press Mac-specific keys, but that turned out to be easier than I expected. OSX recognizes different keyboards and maps keys appropriately. For instance, when accessing the Mac directly, the Alt key works as the Option key, the Control key is the Command key, and the Windows key is the Apple key.
The biggest problem I had with the keyboard was the Home and End keys. On Windows, those keys move the cursor to the beginning and end of a line, respectively. On a Mac, they move the cursor to the beginning and end of the document, respectively. This messed with my motor memory in a big way, and I looked at a variety of remapping solutions. Eventually I was able to fix this by creating the file ~/Library/KeyBindings/DefaultKeyBinding.dict and adding these lines:
{
/* Remap Home / End to be correct :-) */
"\UF729" = "moveToBeginningOfLine:"; /* Home */
"\UF72B" = "moveToEndOfLine:"; /* End */
"$\UF729" = "moveToBeginningOfLineAndModifySelection:"; /* Shift + Home */
"$\UF72B" = "moveToEndOfLineAndModifySelection:"; /* Shift + End */
"^\UF729" = "moveToBeginningOfDocument:"; /* Ctrl + Home */
"^\UF72B" = "moveToEndOfDocument:"; /* Ctrl + End */
/* Remap Ctrl-left/right to go to previous/next word */
"^\UF702" = "moveWordLeft:";
"^\UF703" = "moveWordRight:";
}
Update: This solution for the Home and End keys seems to work for all applications, with one exception: Firefox. I reported the problem on Mozilla’s Bugzilla site as Bug #918859.
Another keyboard problem I’ve run into is that the Enter (Return) key works differently on the Mac. In Windows dialogs and Explorer, Enter opens the currently-highlighted item. If it’s a folder, the folder opens; if it’s a file, the file opens. Makes sense to me, and it’s something I do all the time. Oddly, on the Mac, Enter renames the highlighted file or folder. I haven’t found a permanent solution to this, so in the meantime I’m trying to remember to use Alt-O (Command-O) to open folders/files from the keyboard.
One final keyboard difference worth noting is the fact that there is no Insert key on the Mac. On Windows, this key toggles between insert and overtype modes. On the Mac, you’re always in insert mode.
No single-button mouse for me
I’m glad I can use my multi-button mouse. Again, I’m just so accustomed to right-clicking UI elements to show context menus that I would have a hard time changing to the Apple approach, which is to hold down the Control key and click the (only) mouse button.
Installing open source software
I recently moved all my public-facing services onto a new, powerful Linux computer. Almost all of my work with the Linux server happens at the command line. I don’t find either of the graphical UIs most commonly used on Linux (KDE and Gnome) all that compelling. In any case, I’m now comfortable using the APT system to install and manage open source software packages in Linux, so I was surprised to find nothing similar on the Mac. A bit of research led me to a tool called ‘Homebrew’; having installed this software, I can now download and install software using the ‘brew’ command, which is similar to APT.
Remote access with VNC
Although my KVM works well with the Mac, I find it more convenient to use remote control software. This allows me to continue to use my Windows machine as my primary work environment while providing quick access to the Mac. OSX includes a VNC server, but it’s disabled by default. Enabling it is a simple matter of going to the Sharing panel in System Preferences, putting a checkmark next to Remote Management, assigning the users who should have access, and configuring access (click the Options button). There are numerous VNC client software packages available. I’m currently using TightVNC, which was simple to set up and seems to work reasonably well. Just point your VNC client at the name displayed on the Remote Management settings page on the Mac to connect.
Remote login with SSH
I’m accustomed to accessing my Linux server via command line interface using SSH. This also works for the Mac, but again it has to be enabled first. To do that, again go to System Preferences. Put a checkmark next to Remote Login, and assign the users who should have access. Connect using an SSH client like Putty.
Miscellaneous Mac weirdness
One thing that has always bothered me about the Mac is that closing an application’s windows doesn’t close the application itself. Well, usually. That’s part of the problem: there’s no consistency to it. Some apps close when you close their last open window, and some don’t. A very odd design choice in any case.
Now about those three little buttons at the top left of windows: there’s a close button (the red ‘X’), a minimize button (the yellow ‘-‘), but what does that third button do? It’s a green ‘+’, so one might reasonably expect it to maximize the window, right? But sometimes it does, and sometimes it doesn’t. Weird.
One final bit of weirdness is the way icons work. When you click an icon, for example on the desktop, you see a nice square frame around the entire icon, regardless of the shape of the icon’s image. This encourages a belief that the Mac understands that the shape and size of the icon’s image is not important in terms of selecting (or double-clicking) the icon. That belief is erroneous. In fact, if an icon’s image has any transparent ‘holes’, you cannot select the icon by clicking on any of the holes. As a result, some icons are easier to select that others, and trying to select an icon with a lot of transparent areas can become an exercise in frustration. On Windows, clicking anywhere inside the square boundaries of an icon selects it.
Must-have free desktop software for the Mac
(cricket chirping)
Seriously. Most of the desktop software I use on my Windows PC is free or open source. That’s relatively rare on the Mac, at least in my (admittedly limited) experience. I guess there’s a general understanding that Mac owners have money to burn. The App Store doesn’t even allow sorting or filtering search results by price.
More malicious email and web site warnings
As if you needed more reasons to be cautious when using email or browsing the web, here are two new warnings, from CERT and Malwarebytes.
According to CERT and the FBI, a new, active spear-phishing campaign is sending email to targeted recipients. This particular email purports to be from “National Center for Missing and Exploited Children” and its subject line is “Search for Missing Children”. Do not open this email or any of its attachments, which contain malware.
Malwarebytes, a respected anti-malware software vendor, recently posted a warning about fake Flash player updates that appear on some (mostly pornographic) web sites. Users are tricked into clicking a link that supposedly updates the Flash player, but actually installs malware. Once the malware is installed, legitimate web-based advertisements will be replaced by ads served by the perpetrators. The new ads are often pornographic in nature, and can appear over ads on any web site.
Chrome 29.0.1547.57 released
Another new version of Google Chrome was announced yesterday. Chrome 29.0.1547.57 includes several fixes for security vulnerabilities, as well as improvements to stability and performance.
Firefox 23.0.1
A new version of Firefox was released yesterday. Version 23.0.1 apparently fixes three minor bugs, none related to security.
There was no official release announcement for this new version. The release notes are exactly the same as for version 23, with the three fixed bugs just added the top of the list of changes. The ‘complete list of changes’ link still points to an enormous list of bugs that appear to all be related to version 23.
I won’t bother rehashing everything that’s wrong with the way new Firefox versions are being documented by Mozilla. For that, see my post about Firefox 23.
When Windows XP support ends…
After April 2014, it will no longer be possible to obtain security updates for Windows XP – unless you’re paying Microsoft a ton of money. This has some interesting ramifications.
Clearly, there will be renewed interest in the aging O/S as an attack target. New vulnerabilities will continue to appear, but will remain unpatched on most Windows XP computers. Tools that exploit these vulnerabilities will increase in value, resulting in a boom for anyone developing them.
Depending on how many XP systems remain after April 2014, and the number and seriousness of vulnerabilities discovered after that date, there may be some backlash against Microsoft. There may be calls to extend support for XP even further. It’s possible that as many as one third of all computers and devices will still be running XP after support expires.
If Microsoft declines to extent support, you can bet that any new patches they develop for XP will find their way into the hands of regular users through unauthorized torrents and underground web sites.
On the other hand, while keeping Windows XP patched is obviously an important part of an overall security plan, there are other ways to protect yourself. Most users these days connect to the Internet through a router/firewall, which – if configured correctly – makes it almost impossible for an attacker outside the router to identify or even detect a computer inside the router. So, while I’m not recommending that you ignore this problem (you should really upgrade to Windows 7), there may not be a reason to panic if you’re still running Windows XP next year.
Update 2013Aug21: Another ComputerWorld post on this subject, and a post from ZDNet.