Chrome 64.0.3282.119 released

The latest version of Chrome is 64.0.3282.119. The new version, released earlier this week, fixes fifty-three security issues, and includes additional mitigations for the Spectre/Meltdown vulnerabilities.

The full change log lists ten thousand changes in the new version. There might be some interesting stuff in there, but I’m going to assume that if there was anything worth pointing out, Google would have done that in the release announcement.

Firefox 58.0

Earlier this week Mozilla released Firefox 58.0. The new version makes significant improvements its graphics engine and Javascript handling, which should translate into faster page rendering, especially on sites that use a lot of Javascript. Mozilla says we can expect further performance improvements in Firefox in the coming weeks.

At least thirty-two security vulnerabilities are addressed in Firefox 58.0. The release notes for Firefox 58.0 provide additional details.

Note that Firefox 58.0 user profiles are not compatible with earlier versions of Firefox, so if you don’t like 58.0 and decide to downgrade, you’ll have to create a new profile.

Opera 50.0.2762.67: security fixes for Meltdown and Spectre

The latest version of Opera contains changes meant to mitigate the Spectre and Meltdown CPU vulnerabilities. Effectively, it’s now more difficult to exploit the vulnerabilities using Javascript running in Opera. Similar changes have already been made in the other major browsers.

Several Windows-specific issues were also addressed in Opera 50.0.2762.67. The change log for Opera 50 provides details.

Spectre/Meltdown fixes for Vivaldi

A Vivaldi update described as ‘minor’ includes mitigations for the Spectre and Meltdown vulnerabilities. The changes are intended to make exploiting Spectre and Meltdown much more difficult in the context of Vivaldi itself. Other browser makers have released — or are working on — similar updates.

The announcement for Vivaldi 1.13.1008.44 is light on details, and there’s no link to a change log. The new version number isn’t even mentioned.

Java 8 Update 161

Released as part of Oracle’s January 2018 Critical Patch Update, Java 8 Update 161 fixes twenty-one security vulnerabilities in previous versions.

You’re much less likely to be affected by Java vulnerabilities these days, as most web browsers no longer support Java. The only mainstream browser that still runs Java code is Internet Explorer. If you use Internet Explorer with Java enabled, you should update Java as soon as possible, via the Java Control Panel applet, or by visiting the official Java download page.

Spectre/Meltdown CPU flaws: latest news

It’s been about two weeks since the Spectre and Meltdown CPU flaws were revealed to the world, and we now have a better picture of the scope and impact of those flaws.

Intel CPU chips are vulnerable to both Spectre and Meltdown: almost every Intel CPU made since 1995 is affected. AMD CPUs are vulnerable to Spectre, and ARM CPUs, found in millions of mobile and IoT devices, are vulnerable to Meltdown.

Spectre variant 1 and Meltdown have been patched in Windows, macOS, iOS, Android, and Linux. So far, these updates don’t seem to have affected performance on those platforms.

Spectre variant 2 can only be fixed with a firmware update, which will be optional on most platforms, but also seems likely to result in reduced performance. Firmware updates are more difficult to install than software updates. The task should not be undertaken by casual users, since mistakes can result in ‘bricked’ (unusable) devices. One possible exception is Linux, which in some cases allows for updates to be read from a file during startup, eliminating the need for updating firmware.

Intel is making available firmware updates that will hopefully eliminate the threat on affected computers, but — as Microsoft has demonstrated — many of those computers will be slowed significantly by the updates. Intel is downplaying the performance impact, saying that many users won’t even notice the difference.

Microsoft estimates the performance impact of firmware updates on Windows computers with Intel processors will vary depending on:

  • CPU: Haswell and older will be affected more
  • O/S version: Windows 7 and 8 will be affected more than Windows 10
  • I/O bound servers could be affected greatly (Microsoft may recommend avoiding the firmware updates in this case)

Unfortunately, many PC and device makers first learned of the CPU flaws when the rest of us did: on January 3. While Intel, Microsoft, and the other major players knew about the problem months earlier, less high-profile companies are now scrambling to develop firmware updates for their devices. Most are concentrating on their most recent models, and may never release updates for older devices. For example, as of January 21, the Asus web site does not show any recent firmware updates for my Asus M70AD PC. Millions of other devices seem likely to remain permanently vulnerable to Spectre 2.

The Spectre and Meltdown flaws are very deep inside the internal hardware of almost all computers. This makes them very unusual: more difficult to fix, and potentially very dangerous. Even worse, many Internet of Things devices use affected chips; these devices are usually difficult (if not impossible) to update, and may never be fixed.

The vulnerabilities were discovered in early June 2017, and disclosed privately to CPU chip makers first, then to O/S makers, browser makers, cloud and server providers. Some arguably important groups were left out, including CERT, but despite disclosure being handled responsibly, the news leaked out ahead of schedule on January 4. A lot of work had already been done, but hardly anyone was truly ready.

Intel’s response to the flaws in their CPUs has been criticized by some, and it does seem that the chip giant is not being completely transparent. Intel continues to downplay the seriousness of the flaws, and the performance impact of firmware updates. It’s also fair to ask whether in the rush to increase processor speed, security is being neglected by Intel and the other chip makers. The Spectre and Meltdown flaws should arguably have been caught in development.

What are the actual risks involved?

A malicious process on your computer could read data from another process (such as your banking app) and send it to anyone. This kind of exploit has been demonstrated as effective, and it can even be accomplished using specially-crafted Javascript code on a web site.

A malicious process on a web-based service, server, or virtual machine could read data from another process on that machine or a virtual machine that’s controlled by someone else.

Risks going forward: this has all been rushed (despite some advance warning), and the changes are at the core of CPUs and O/S kernels. Emergency fixes have a way of causing new, hidden problems. We will probably be dealing with the fallout from these flaws for months.

Update 2018Jan23: Intel is now telling us to avoid earlier firmware updates while they work on new updates that (hopefully) avoid rebooting issues on computers running Haswell and Broadwell CPUs. Meanwhile, there’s some strong language coming from Linus Torvalds (Linux’s creator) about the quality of the firmware fixes coming from Intel.

More rug-pulling by Google

“Hey, look here! We’ve got a great service that you need to be using. Okay, cool, now that you’ve been using the service for a while, we’re going to shut it down. Because of reasons.” — Google’s secret motto

Okay, it’s not like YouTube is shutting down, but Google has changed the rules for monetising video, and that change is going to affect a lot of creators. Specifically, starting in February, you’ll need 1000 subscribers and 4000 hours of watch time (time people spent watching your videos) in order to make money from them.

Google’s explanation? “In 2018, a major focus for everyone at YouTube is protecting our creator ecosystem and ensuring your revenue is more stable.” What does that even mean?

It seems clear that this change is a reaction to recent events, including several major advertisers pulling ads from YouTube in 2017 because of extremist content. There’s less money to go around, so Google is saving money by cutting off people who arguably need it most.

Full disclosure: my own YouTube account will be affected by this change. I’m currently in the YouTube Partner Program, which allows me to monetise my videos. Not that I’ve made much money from those ads. Google seems to make a lot more money selling ads than it hands out to people hosting those ads on their videos and web sites. In any case, I will no longer me able to earn money from ads on my videos after February.

Google, your search engine is amazing, and I use a lot of your (free) services, so I shouldn’t really complain. But dammit, this is getting annoying.

Related links

Ars Technica: YouTube raises subscriber, view threshold for Partner Program monetisation
Futurism: YouTube Cracks Down on Eligibility Requirements for Which Video Channels Can be Monetized

Opera 50 released

Opera, the alternative web browser from Norway, adds several new features in version 50, which was released earlier in January.

Perhaps the most interesting new feature detects and blocks covert cryptocurrency mining, a new threat that sneakily uses your computer’s resources to make money for the perpetrators.

Other changes in this release include:

  • Chromecast support
  • VR Player enhancements, including Oculus Rift support
  • new: save web pages as PDF files
  • improvements to the tab context menu
  • currency and unit converter improvements
  • better crash protection
  • enhancements to the built-in VPN service

You can peruse the Opera 50 change log for additional details. Keep in mind that the log shows all changes to Opera 50 from its origin as a developer release in September 2017, through its beta stages, to its official release in early 2018.

Patch Tuesday for January 2018

This month’s pile of Microsoft patches includes some that help to mitigate the recently-discovered Spectre and Meltdown vulnerabilities in Windows 7 and 8. Windows 10 machines received these updates last week, as soon as they were made available by Microsoft, because of course there’s no way to stop that from happening. Unfortunately for folks running some older AMD processors, the Spectre/Meltdown updates are causing Windows to crash, and Microsoft has now disabled those updates for affected computers.

It gets worse. Many antivirus products use sketchy techniques for blocking, detecting, and removing malware. Some of those activities are incompatible with this month’s Spectre/Meltdown updates for Windows. Microsoft is currently blocking those updates on computers that are missing a special registry setting: the idea is that anti-malware software will set this flag to indicate that the updates are compatible, and safe to install. On my Windows 8.1 computer, Windows Update initially did not show this month’s security-only (KB4056898) or security rollup (KB4056895) updates. That’s because (gasp) I wasn’t running any anti-malware software. To get the update, I re-enabled Windows Defender, which created the missing registry entry, and re-ran Windows Update.

There’s also a special security advisory in this month’s updates, in which Microsoft lays out the Spectre/Meltdown issue, its effect on Microsoft software, and ways to mitigate the associated vulnerabilities.

Back to our regularly-scheduled Patch Tuesday…

The January 2018 update announcement as usual contains zero useful information, serving only as a pointer to the Security Update Guide. Analysis of this month’s guide data shows that there are seventy-two updates, addressing fifty-six vulnerabilities in .NET, Internet Explorer, Edge, Office, Windows, Flash Player, Sharepoint, and SQL Server.

News for me, stuff that matters… to me. Windows, Linux, security, tools & miscellany.