It’s that time again. This month Microsoft has issued eight bulletins, with three of them flagged as Critical. The associated patches affect Windows and Internet Explorer. The August 2013 security bulletin has all the technical details. A post on the Microsoft Security Response Center has a somewhat friendlier summary. For a slightly different view of this month’s updates, check out this post on the SANS Internet Storm Center.
Windows 8.1 update coming in October
Windows 8 Service Pack 1 8.1 will be made available starting some time in October 2013, according to various sources.
Included in the free update will be several tutorials on the new user interface. The exclusion of such tutorials in Windows 8 was a strange decision by Microsoft, since they were in every previous version of Windows.
The update will also include a variety of changes related to user interaction, affecting the use of touch, mouse and keyboard input. Context menus will be improved for better usability.
Related:
- New Windows 8.1 build addresses first-time user complaints
- Leaked Windows 8.1 build gives Windows 8 the tutorials it always needed
- Windows 8.1 to be made available in October
Update: Microsoft has set a firm date for availability of Windows 8.1: October 18, 2013.
SANS Ouch! newsletter: Two Step Verification
This month’s Ouch! newsletter (warning: PDF) is a helpful primer on two step verification. If you have a Google account of any kind, you’ve encountered two step verification. It may seem like extra work, but it’s definitely worthwhile.
Update: Duo Security has been posting about two step verification (aka two factor authentication) a lot recently. For example: Why 2 Factor Authentication Hinges on the User Experience.
Patch Tuesday for August 2013
Advance warning: This month there will be eight bulletins, affecting Windows and Internet Explorer. Three bulletins are flagged as Critical. The updates should become available by 10am PST on August 13.
My new Mac Mini
One of my consulting clients is developing iPhone/iOS apps. I’ll be helping out with testing, deployment, and probably some development. To that end, the client has provided a Mac Mini.
I’ve used Macs before. I even started a blog about my experiences with a new Mac way back in 2004. Some of my earlier observations may still be valid; others may not. In any case, I plan to post anything interesting/cool/weird/annoying that I discover about the new Mac. I’ll try not to let my Windows bias show through, but I can’t guarantee anything.
Firefox 23 released
Another new version of Firefox was made available yesterday. Along with the usual crop of security bug fixes, version 23 sports a few changes worthy of mention:
- A
shinynew logo. - A Network panel was added to the Web Developer Tools. This panel shows the network activity associated with web browsing, including load times.
- The HTML text ‘blink’ attribute has been removed. Blinking text has fallen out of fashion, and it’s generally seen as not user-friendly and non-accessible.
- The ‘Disable Javascript’ setting has been removed from the Options dialog. The developers feel that since disabling Javascript causes many web sites to fail, the option should be hidden. The Javascript options are still accessible via about:config.
- The ‘Load images automatically’ setting was removed from the Options dialog. Again, the developers decided that this option was too dangerous for most users. You can still find the setting in about:config.
- The ‘Always show the tab bar’ setting was removed from the Options dialog. Like the other removed settings, somehow this option was felt to be too dangerous for most users. You can still find the setting in about:config.
Firefox version announcements still lacking
Update 2016Jan06: The release notes page for Firefox 23.0 no longer exists. It was moved to an archive site by Mozilla, but must have been lost in the process. There’s a broken link to the missing page on the Releases/Old/2013 page.
As always, there was no proper announcement for this release. I discovered the new version when I was reading Hacker News. I’ve outlined the problems with Firefox’s online resources in several previous posts, so I’ll just provide a brief list here. Suffice to say that nothing has improved since Firefox 22.
- According to Mozilla, the Mozilla Blog is where new versions of Firefox are announced. The blog has an RSS feed, which is good, and whenever a new version of Firefox becomes available, there is usually at least one post on the blog that describes some of the new version’s features. But these posts do not qualify as release announcements, because they never mention the new version number, or even that there is a new version! Here’s the ‘announcement’ for Firefox 23: Firefox Makes it Easy to Share Your Favorite Content with Friends & Family.
- The main release notes page has several problems, all of which would result in a failing grade in any ‘Web Pages 101’ course:
- the page’s title makes no mention of the version;
- the version isn’t mentioned in any of the page’s headings;
- the first text on the page reads "Firefox Notes (First offered to release channel users on…", which makes it sound as though some ‘notes’ are being offered, not a specific version of Firefox;
- the version is only visible in the page’s URL, which is barely human readable, and in an aside that thanks contributors.
- A link on the release notes page titled ‘complete list of changes‘ points to a list of bugs in Mozilla’s bug tracking system. The list is huge, and the information is highly technical and not really intended for regular users.
- The main download page never mentions the version, although all of the download links point to the most recent version.
- The hidden ‘security advisories‘ page lists Firefox security vulnerabilities by the date on which they were first reported by Mozilla, with no indication of which vulnerabilities have been fixed, or when they were fixed. This is somewhat mitigated by the also hidden ‘known vulnerabilities‘ page, which lists security vulnerabilities and the versions of Firefox in which they were fixed.
Opera 12.16 and 15.0
Version 12.16 of Opera contains only a minor change, to the code signing certificate.
It appears that the classic Opera browser is soon to become extinct. Opera’s developers decided to toss out their distinctive browser and the ‘Presto’ engine on which it was based. Instead, starting with version 15.0, Opera will be based on the Webkit engine. As a result, Opera 15.0 is virtually indistinguishable from Google Chrome. If there’s a specific reason you’ve avoided Chrome in the past, that reason now applies equally to Chrome. For instance, Chrome has no sidebar feature, and now neither does Opera.
I have been unable to discover how long Opera’s developers will continue to update and support the 12.x series browser.
Opera version 15.0 is now available, but I can’t bring myself to recommend it. If you want to try it, just look at Chrome.
The perils of saving passwords in your web browser
Web browsers want to make your life easier, which is why they all offer to store web site userids and passwords. But if you thought this was a safe way to store passwords, you’d be wrong. Still, some browsers handle this better than others.
Lock Your Computer
First of all, regardless of which web browser you use, if a person has access to your computer while you are logged in, and you allow your browser to store passwords, you should assume that the person now knows all your web site passwords. Simple techniques can be used to trick any web browser into displaying otherwise obfuscated (e.g. ‘*****’) passwords as plain text. This is yet another reason – as if you needed one – to always lock your computer when you walk away from it. Most operating systems have a setting that locks your computer for you after a period of inactivity. This is the only way to be at all secure; access to your logged-in computer potentially gives intruders access not only to your passwords, but also to all of your documents.
Password saving features in web browsers
Given the above, does it even make sense to worry about how your web browser handles saved passwords? There are arguments for both points of view. From my perspective, security should be layered: getting past one security hurdle shouldn’t open up everything. So if you allow your browser to save passwords, you should consider using the browser’s settings to secure those passwords. The four browsers I use handle passwords with varying degrees of security:
- Firefox: Prompts to store passwords. By default, shows your saved passwords to anyone who looks in the settings. You can set up a master password to control access to the stored passwords; you will be prompted for the master password once per session, and when you try to show your passwords.
- Opera: Prompts to store passwords. Doesn’t show passwords anywhere. You can set up a master password to control access to the stored passwords, which you will be prompted for once per session and at set intervals.
- Internet Explorer: Prompts to store passwords. Doesn’t show passwords anywhere. No master password.
- Google Chrome: Prompts to store passwords. Shows passwords to anyone who looks in the settings. No master password.
Google Chrome stands out in this list, since it both shows your passwords, and has no master password feature. Elliot Kember recently wrote about this, describing Chrome’s password handling as ‘insane’. I’m not sure I would go that far, but Chrome clearly needs a master password feature.
I’d like to see all web browsers show a prominent warning to any user who uses a password saving feature: “WARNING: saved passwords can be retrieved extremely/relatively easily. Always lock your computer when you leave it unattended.”
Update 2013Aug11: Here’s Google’s response.
Update 2013Aug25: Tim Berners-Lee (the person who invented the World Wide Web) weighs in. tl;dr – he agrees that Chrome should at least have a master password.
Web advertising networks: the next malware attack vector?
Researchers speaking recently at the Black Hat Briefings in Las Vegas showed that the Javascript used by most advertising networks could be compromised by a malicious third party. The malicious code could then run in any web browser configured to allow advertising.
Hold on. Wouldn’t the people responsible for the advertising networks and the associated Javascript notice the problem and fix it? Possibly. But not always. If you’re like me, you’ve seen more than a few messed up web ads. A seriously broken web ad can prevent a web page from displaying properly or cause it to load very slowly. It’s one of the many reasons why people use script blocking technology like NoScript.
It’s difficult to predict whether malware purveyors will start using the ad networks like this. But if they do, you can bet we’ll see a surge in script and ad-blocking software installations. Since advertising is the primary source of revenue on the web, this will get the attention of the advertisers, who would hopefully then institute better quality control.
WordPress 3.6 released
Improved revision control and autosave, post locking, and an improved menu editor highlight the changes in WordPress 3.6. There’s also a new theme (Twenty Thirteen), better media support, and better integration for various online services.