Chrome, Google, Patches and updates, Security

Chrome 80.0.3987.87

Leave a comment

The latest release of Google’s Chrome web browser, announced on February 4, includes fifty-six security fixes. As usual, details on all of the related vulnerabilities will not be released until a majority of users are updated with a fix.

The full change log for Chrome 80.0.3987.87 is a whopper, with over sixteen thousand changes in all. A little light reading for anyone with a few hours to spare. But hey, at this point if you don’t trust Google you probably shouldn’t be using Chrome. In the same way that you shouldn’t be using Windows 10 if you don’t trust Microsoft.

Chrome updates itself on its own mysterious schedule, unless you’ve taken extreme (and continuous) measures to prevent it. You can find out which version you’re running by navigating Chrome’s menu (hidden behind the three-vertical-dots menu button at the top right) to Help > About Google Chrome. If a newer version is available, you should see a button or link to install it.

Chrome, Microsoft, Patches and updates, Things that are bad, Things that make me happy, Windows 10

Microsoft news: the good, the bad, and the spiteful

Leave a comment

The Good

Windows 7 support ended earlier this month, and with it any hope of fixing newly-discovered security vulnerabilities. Or did it? Microsoft recently discovered a problem with an update, released in Novemeber 2019, that is causing problems with desktop wallpaper on Windows 7 computers. This isn’t a security issue, but it probably affects thousands of users, and Microsoft has now released a special update that fixes the wallpaper problem. You can get the update via Windows Update on Windows 7 computers.

The Bad

Microsoft’s plans for expanding advertising in Windows 10 continue, albeit very slowly. The latest change is in Windows 10’s default rich text editor, Wordpad. When you run Wordpad, you’ll see an advertisement for Microsoft Office. It’s not much, and many users will never see it, but I’m reminded of the proverbial frog in steadily-warming water.

The Spiteful

Microsoft’s shenanigans with Google show no signs of slowing down. Both companies have engaged in questionable behaviour in trying to promote their software and services. The latest shot from Microsoft is particularly annoying: when Office 365 updates itself — a process that is both frequent and difficult to control — it will look for an installation of Google’s Chrome web browser, and change its default search engine to Bing.

Microsoft has a history of inappropriately reverting settings during updates, which is annoying enough, but this is excessive and downright spiteful, in my opinion. Microsoft, please play out your differences with Google in a way that doesn’t annoy millions of users.

Update 2020Feb11: Microsoft relented, and won’t be switching Windows 10 searches to use Bing during Office 365 updates. I guess they realized that they didn’t need yet another public relations disaster.

Java, Patches and updates, Security

Java 8 Update 241 (8u241)

Leave a comment

Oracle’s Critical Patch Update Advisory for January 2020 documents twelve security vulnerabilities in Java 8 Update 231 and earlier versions.

Java 8 Update 241 was released to address those vulnerabilities. The release notes page for Java 8 lists notable changes in Java 8 Update 241.

These days the only mainstream web browser that still supports Java is Internet Explorer. If you use Internet Explorer with Java enabled, keeping Java up to date is critical.

But even if you don’t use IE with Java, if Java is installed on your computer, it’s a good idea to keep it up to date. If you’re not sure, look for a Java entry in the Windows Control Panel. Open it and click the About button on the General tab to check the installed version. If it’s not up to date, go to the Update tab and click the Update Now button.

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2020; end of support for Windows 7

Leave a comment

The first Patch Tuesday for 2020 arrives with the long-planned but still inconvenient end of meaningful support for Windows 7.

The venerable Windows 7 still runs on about a quarter of all PCs worldwide. Sticking with Windows 7 was — and continues to be — a conscious decision for many users, made because Windows 8 and 10 were problematic for a variety of reasons.

Microsoft killed support for Windows XP on April 8, 2014, but still released updates for that O/S on a couple of occasions when a security vulnerability was so severe that it seemed likely to cause massive problems if unpatched. Microsoft will probably do the same thing for Windows 7, but it’s not a good idea to rely on the goodwill of any large corporation.

So, if you’re running Windows 7, what should you do? You can upgrade to Windows 8.1, which will buy you some time, until its support ends on January 10, 2023. Or you can stop resisting and make the move to Windows 10. Many of the initial problems with — and objections to — Windows 10 have now been addressed, making it somewhat less unpalatable. Microsoft offers additional guidance on the Windows 7 support ended on January 14, 2020 page on the Microsoft support site.

Another sensible option would be to switch to Linux. There are now Linux distributions that feel a lot like Windows, which can ease the transition. The main problem is software. But even if the software you use has no Linux version, you can still run an older version of Windows in a virtual machine on your Linux computer. That’s not too helpful for high-end games, however.

Back to our regularly scheduled updates…

There are thirty-nine updates (and associated bulletins) from Microsoft this month, addressing fifty vulnerabilities in Windows, .NET, Internet Explorer, and Office. Eight of the updates are flagged with Critical severity.

Although there are other ways to obtain the updates, by far the simplest method is to use Windows Update, which is found in the Windows 10 settings, or the Control Panel in older versions.

Update 2020Jan15: One of the vulnerabilities addressed in yesterday’s updates was reported to Microsoft by the NSA. While there’s disagreement about the seriousness of the vulnerability, this is notable in that the NSA previously wasn’t interested in sharing its discovered vulnerabilities. Lack of NSA cooperation led to the WannaCry ransomware nightmare in 2017. Brian Krebs has more.

While it’s generally a good idea to cross your fingers and install all available Microsoft updates, or at least allow them to be installed automatically, some Windows 10 users have grown wary of updates, and configured Windows Updates to be delayed. The actual risk from this vulnerability is mostly for Windows Server 2016 computers that are exposed to the Internet, and Windows 10 computers normally used by people with administrator permissions.

Update 2020Jan17: There’s more useful information about the NSA-reported vulnerability from Ars Technica, and SANS. SANS has created a web page and download that you can use to test your computers for this vulnerability.

Firefox, Mozilla, Patches and updates, Privacy, Security

Firefox 72.0 and 72.0.1

Leave a comment

Security fixes and some welcome changes to notifications and tracking protection were released in the form of Firefox 72.0 on January 7. Firefox 72.0.1 followed the next day, adding one more security fix.

Site notifications are those annoying messages that pop up when you’re browsing web sites, asking — somewhat ironically — whether you want to see notifications for that site. You can still choose to see those, but now Firefox lets you suppress them. To control notifications, navigate Firefox’s Settings to Privacy & Security > Permissions, then click on the Settings button next to Notifications.

Firefox’s already helpful tracking protections were enhanced in version 72 with the addition of fingerprint script blocking. Fingerprinting is a technique used by many companies to better understand you and your online behaviour. While arguably harmless (it’s mostly about providing better ad targeting) fingerprinting is also creepy and a privacy concern. By default, Firefox now blocks scripts that are known to be involved.

Current versions of Firefox default to updating themselves automatically, but you can check for available updates by navigating Firefox’s menu to Help > About Firefox.

Chrome, Google, Security

Security improvements in Chrome

Leave a comment

Google is rolling out some changes to the Chrome web browser that will improve security in several ways. The changes are being spread out across several updates, and exactly when they will arrive on your devices depends on some security-related settings.

Warnings about compromised passwords

When you enter a user ID and password on any web site using Chrome, the browser can check whether that combination is on a list of known-compromised IDs and passwords. Chrome started doing this earlier in 2019, but you had to install the Password Checkup extension to use it. A couple of months ago, Google added this feature to passwords stored in Google accounts, protecting anyone who logs into their Google account in Chrome.

What’s new is that this password protection is now built into Chrome itself, and will now protect all Chrome users by default, regardless of whether they are logged into their Google account.

According to Google, “You can control this feature in the Sync and Google Services section of Chrome Settings.” In my installation of Chrome (version 79.0.3945.88), there’s a new option: Warn you if passwords are exposed in a data breach.

Real-time protection against unsafe sites

Google’s Safe Browsing service provides a continuously-updated list of unsafe sites. When you visit a web site or download a file, Chrome checks the address (URL) against the Safe Browsing list. The file it checks is on your computer, and updated every 30 minutes.

Previously, only a local copy of the unsafe URLs list (updated every 30 minutes by Google) was checked. What’s changed is that a new safe URLs list (stored on your computer and updated by Google) is checked, and if the site you’re visiting isn’t listed as safe, Chrome then checks an unsafe URLs list hosted by Google.

This change allows Chrome to use the most up to date information when deciding whether to warn you about potentially unsafe sites.

You can control this behaviour in Chrome’s settings: Sync and Google Services > Make searches and browsing better.

Expanding predictive phishing protection

When you enter a username and password on a web site, Chrome can check whether you are on a suspected phishing site.

Previously, Chrome only performed this check when you entered Google Account credentials on a web site, and only with the Sync feature enabed. What’s new is that Chrome now checks all passwords stored in Chrome’s password manager, and it does so as long as you’re signed into Chrome, even if Sync is not enabled.

It’s not clear whether there are specific Chrome settings that control this behaviour.

Safe to use

In the blog post announcing these changes, Google is careful to explain that the process of checking your passwords is itself completely secure, and even Google can’t determine your password as part of the process. The other checks that involve sending information to Google’s systems are also secure and private. In other words, you don’t need to worry about any of your information or activity being intercepted or misused, even by Google.

Internet crime, Privacy, Things that are bad

LifeLabs hacked; patient data compromised

Leave a comment

Some security breaches are worse than others. If your bank suffers a breach, the potential for damage is enormous, because banks necessarily store a lot of critical information about you and your money.

Almost as bad are breaches of health-related services, because those systems may store extremely private information about you and your medical history.

Which makes the recently-announced breach of Canada’s LifeLabs (PDF) very disturbing.

The Ars Technica story about this provides a helpful summary of what happened, although it starts out by saying that LifeLabs “paid hackers an undisclosed amount for the return of personal data they stole”. Data can be copied, and when someone copies data to which they have no legal access, it’s a crime. But the idea that data can be ‘returned’ is bizarre.

It’s more likely that LifeLabs was the victim of a ransomware attack, in which data is encrypted by attackers, rendering the data useless until a ransom is paid and the data decrypted by the attackers.

However, it’s also possible that the attackers copied the data to their own systems before encrypting it, with the aim of selling that extremely valuable data, containing names, addresses, email addresses, customer login IDs and passwords, health card numbers, and lab tests. So far, there’s no evidence that the data has made its way to any of the usual dark web markets for such data, but there’s no way to be sure that won’t happen.

Charles Brown, President and CEO of LifeLabs, posted An Open Letter to LifeLabs Customers on December 17, in which he discloses the breach and apologizes to customers. While it’s good to see the company take responsibility, an apology is hardly sufficient. Even the offer of “one free year of protection that includes dark web monitoring and identity theft insurance” seems unlikely to satisfy affected customers. There’s at least one petition in the works, “calling on Parliament’s Standing Committee on Access to Information, Privacy and Ethics (ETHI) to investigate LifeLabs, and put forward recommendations to ensure this doesn’t happen again.”

In British Columbia, users access their LifeLabs test results online using a service called eHealth. It’s not clear whether LifeLabs’ relationship with eHealth is in any way related to this breach. At this point it appears that it makes no difference whether you signed up to access your test results using eHealth. In other words, changing your eHealth password, while advisable, seems unlikely to mitigate the potential damage.

However, as usual in the case of any breach, you should review your passwords, and if you’ve used your LifeLabs or eHealth password for any other site or service, change those passwords to something unique. Do it now.

Email, Internet crime, Things that make me happy

More about those troubling emails

Leave a comment

Some months ago I wrote about the flood of ‘sextortion’ emails almost all of us have been receiving since mid-2018.

Now Brian Krebs reports that the person who most likely wrote the code that started the wave of sextortion emails has surrendered to authorities in France, after being pursued across Europe.

It’s too soon to know what kind of punishment this jerk will face, but here’s hoping it’s significant.

Adobe, Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2019

Leave a comment

This month we’ve got a new version of Reader from Adobe, along with the usual heap of updates affecting Microsoft software.

Analysis of Microsoft’s Security Update Guide for December shows that there are thirty-two updates in all, affecting Internet Explorer 9 through 11; Office 365, 2013, 2016, and 2019; Visual Studio; Windows 7, 8.1, and 10; and Windows Server 2008, 2012, 2016 and 2019. Thirty-seven vulnerabilities (CVEs) are addressed, of which seven are flagged as having Critical severity.

The easiest way to install Microsoft updates is via the Windows Update Control Panel (prior to Windows 10) or Settings > Update & Security on Windows 10.

Adobe logoAdobe released updates for several of its software products on Tuesday, but the only one likely to be installed on your computers is the ubiquitous Acrobat Reader DC, Adobe’s free PDF file viewer.

A new version of Acrobat Reader DC, 2019.021.20058, addresses at least twenty-one vulnerabilities in previous versions.

Recent versions of Reader seem to keep themselves updated, but if you use Reader to view PDF files from dubious sources, you should definitely check whether your Reader is up to date. Do that by running it, then choosing Check for Updates... from the Help menu.

About CVEs

I usually refer to security bugs as vulnerabilities. There’s another term that I sometimes use (see above): CVE. That’s an abbreviation for Common Vulnerabilities and Exposures. If you’d like to know more, there’s a helpful post about CVEs over on the SecurityTrails web site. Here’s a quote:

CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD. When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems.

It’s a worthwhile read, even for non-technical folks.

Firefox, Mozilla, Patches and updates, Security

Firefox 71.0

Leave a comment

Firefox is my current web browser of choice. I use Google Chrome sparingly, because it’s gotten so bloated and resource-intensive that I can’t leave it running. Perhaps that will change; it wasn’t that long ago that Chrome seemed like the best choice.

I still use Opera and Vivaldi for certain specific activities. And while there’s still no way I can stop using Internet Explorer altogether, I only do so when absolutely necessary. I avoid Edge completely, as it seems hopelessly buggy. There are other alternatives, but for now, Firefox is my main browser.

The latest version of Firefox is 71.0. The new version improves some existing features and adds a few more. Several bugs are fixed, including some security vulnerabilities.

New in Firefox 71.0

  • The integrated password manager, which Mozilla calls Lockwise, now differentiates between logins for different subdomains. If you have one login for subdomain1.domain.com and another for subdomain2.domain.com, they will no longer be conflated.
  • Lockwise will also now display a warning if it finds one of your passwords in a list of potentially compromised passwords.
  • The Enhanced Tracking Protection feature will now show a notification when Firefox blocks cryptomining code. You can see what Firefox is blocking by clicking the small shield icon at the far left of the address bar.
  • You can now view video in a floating window using the Picture-in-picture feature. Look for a small blue button () along the right edge of a video and click it to pop out the PiP window.

Security fixes

Eleven security vulnerabilities are addressed in Firefox 71.0. None of them are ranked as critical, and there doesn’t seem to be any evidence that any have been used in actual attacks. Still, it’s best to close those holes before they can be exploited.

How to update Firefox

Check which version of Firefox you’re running by navigating its ‘hamburger’ menu (at the top right) to Help > About Firefox. If you’re not running the latest version, you should see a button that will allow you to upgrade.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.