Firefox 56.0.1: 64 bits for the rest of us

October 19, 2017 jrivett Leave a comment

On October 9, Mozilla released Firefox 56.0.1, which is notable in that it’s the first version that will automatically upgrade 32-bit Firefox to 64-bit Firefox. The 64-bit version has been available for a while, but Mozilla chose to hold off automatically upgrading 32-bit installs to 64-bit until now.

As usual, there was no announcement for Firefox 56.0.1 from Mozilla. Not even CERT helped here, since the new version doesn’t contain any security fixes. I learned about the new version when Firefox itself prompted me to upgrade on October 18, more than a week after the release.

On the positive side, the upgrade from 32- to 64-bit Firefox on my Windows 8.1 computer worked flawlessly. Somewhat oddly, the 64-bit version installed in the same directory as the 32-bit version: C:\Program Files (x86)\Mozilla Firefox. On 64-bit versions of Windows, 64-bit applications usually get installed in C:\Program Files. Regardless, I haven’t experienced any new problems or strange behaviour, and my old Firefox shortcuts still work. According to Mozilla, the 64-bit version of Firefox is demonstrably more stable and secure.

Firefox 56.0.1 includes a single bug fix, unrelated to security.

Adobe, Flash, Patches and updates, Security

Flash 27.0.0.170 fixes one security issue

October 17, 2017 jrivett Leave a comment

And just like that, we get another version of Flash, this one addressing a single security vulnerability. From the security bulletin: “Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.”

Anyone still using Flash in their web browser should install the new version as soon as possible. You can check which version you’re running and download the new one at the Flash version checker and download page.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.

Adobe, Flash, Patches and updates

No security fixes in latest Flash: 27.0.0.159

October 12, 2017 jrivett Leave a comment

A new version of Flash includes a few bug fixes and other functionality changes, but no security fixes. Still, you’ll most likely need to update Flash in your browser to view Flash content.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.

Flash 27.0.0.159 announcement
Security bulletin associated with Flash 27.0.0.159
Flash version checker and download page

Edge, Internet Explorer, Microsoft, Patches and updates, Security, Windows

October 10, 2017: Patch Tuesday

October 10, 2017 jrivett Leave a comment

Imagine a world in which there were no software updates; no security vulnerabilities; no bugs at all. The idea of such a place makes me happy. This utopia is destined to remain a fantasy, sadly. All software has bugs, and that will never change.

Inspection of Microsoft’s Security Update Guide (SUG) as of 10am today shows the usual massive list of updates, only some of which will affect most of us. You can wade into that if you have some time and access to painkillers, or you can download the list and open it in Excel, which is a lot easier to work with, and is what I do.

Analysis of the update data shows that there are fifty updates this month. Sixteen of those updates are flagged as Critical. A total of sixty-seven vulnerabilities in Windows, Office, Internet Explorer, and Edge are addressed.

As usual, the announcement of this month’s updates does little more than tell us what we already knew: that there are updates today, and where to find them.

Time to patch those computers!

Update 2017Oct11: The Register points out that while vulnerabilities affecting Windows 10 are being patched by Microsoft as soon as they are identified, Windows 7 and 8 systems don’t get those updates until the next Patch Tuesday. This creates an opportunity for malicious persons to analyze the Windows 10 updates and create exploits that work on Windows 7 and 8.

Email, Privacy, Security

Text-only email: boring but safe

October 4, 2017 jrivett Leave a comment

In the late 1990s and early 2000s, when formatted email first became widely-used, displaying formatted email was dangerous, because vulnerabilities in Windows allowed specially-crafted email to execute code on the recipient’s machine. Merely previewing formatted email was risky.

Windows updates and email client changes reduced the effectiveness of malware embedded in the content of email, although clickable links and attachments were still — and continue to be — dangerous.

These days, the dangers of enabling formatted text and images in email are mostly about privacy. A significant portion of all email — especially email sent through mass messaging services like Mailchimp — contains tiny images that, when viewed in an email client, tell the sender when you viewed it. This information is used by the sender to determine the effectiveness of their email campaign. It’s not dangerous, but it is creepy. Of course, not all embedded images are there for marketing reasons; some have more nefarious purposes.

The dangers of email can be almost eliminated by configuring your client software to display email in plain text (without any formatting), and without images. Better still, for those concerned about having their actions tracked online, using text-only email prevents any image-based tracking that would otherwise occur when you open your email.

Most desktop email client software has options that force all email to be viewed in a plain text format. Web-based clients are less likely to offer this option, but some, including GMail, can at least be configured not to display images.

I have always recommended the use of text-only email, and I follow my own advice. Email is still the easiest way for malicious persons to induce unwary users into taking actions that should be avoided. As long as that’s true, the only truly safe way to use email is to disable formatting and images. This also makes email less engaging, but I’m willing to forego fancy-looking email for safety and privacy.

References

The Conversation: The only safe email is text-only email
Freedom To Tinker: I never signed up for this! Privacy implications of email tracking

Firefox, Mozilla, Patches and updates, Privacy

Firefox 56.0 released

September 30, 2017 jrivett Leave a comment

It’s a major new version number, but there’s not much to get excited about in Firefox 56.0, unless the ability to take screenshots in your browser was on your wish list.

Also new in Firefox 56.0 is the Send Tabs feature, which allows you to send web page links to your other devices. Right click on any web page and select Send Page To Device to try it. I suppose it’s easier than sending yourself email.

Starting with version 56.0, Firefox’s web form autofill feature can fill in address fields. I didn’t even know this was missing in previous versions. In any case, this feature is currently only available for users in the USA; it will be made available in other countries in the coming weeks.

Firefox’s preferences (Options) pages have been reorganized and cleaned up significantly. There’s now a search box on the Options page, which should make finding that elusive setting a bit easier. The explanatory text associated with many options has been improved for clarity. The privacy options and data collection choices have been reworked so they are better aligned with the updated Privacy Notice and data collection strategy.

Finally, media on background tabs will no longer play automatically; it will only start playing once the associated tab is selected.

The release notes for Firefox 56.0 have additional details.

Chrome, Google, Patches and updates, Security

Chrome 61.0.3163.100

September 26, 2017 jrivett Leave a comment

There are exactly fifty-seven items in the change log for Chrome 61.0.3163.100. Some of those changes are version increments and other housekeeping; about forty are actual changes to functionality. Most of those changes are fixes for minor issues. Three of the fixes are for security issues.

If you’ve stopped trying to prevent Chrome from updating itself, it will no doubt proceed with this update automatically. But since the new version includes security fixes, it’s a good idea to make sure. Click the main menu button (three vertical dots at the top right of Chrome’s window), then Help > About Google Chrome.

Patches and updates, Vivaldi

Vivaldi 1.12: bug fixes and some useful improvements

September 25, 2017 jrivett Leave a comment

In response to frequent requests from users, the folks who make Vivaldi have finally added an Image Properties feature to the browser. Right-click an image on a web page and select ‘Image Properties’ to display a dialog showing the image’s URL, dimensions, binary size, and more.

Download management is somewhat easier in Vivaldi 1.12: the list of downloaded files can now be sorted by type, name, size, date added, date finished, and address. There’s a new panel at the bottom of the download sidebar that shows the details for a selected download.

Vivaldi’s Accent Color feature changes the browser’s colour scheme to match the web site currently being viewed. I personally find this kind of thing distracting, but there’s no accounting for taste. If you use this feature, you’ll be happy to know that Vivaldi now has a setting that determines the intensity of the accent color effect.

Vivaldi 1.12 includes fixes for about fifty bugs from earlier versions. None of the changes appear to be related to security. You can see all the details in the release announcement.

Malware, Patches and updates, Security, Things that are bad, Windows

CCleaner malware incident

September 19, 2017 jrivett Leave a comment

A recent version of the popular Windows cleanup tool CCleaner contains malware, apparently added by malicious persons who gained access to a server used by the software developer, Piriform.

The malware was found only in the 32-bit version of CCleaner 5.33.6162. No other versions were affected.

Piriform reacted quickly to the discovery, and yesterday released a new version: CCleaner 5.34.

If you have CCleaner installed on any Windows computers, you should make sure you’re running version 5.34, and if not, install it as soon as possible.

Update 2017Sep23: The server that was breached is actually managed by Avast, which purchased CCleaner software developer Piriform in July.

Ongoing analysis of the hack revealed that this may have been a state-sponsored attack, and that it specifically targeted high profile technology companies. Apparently the malware in the compromised version of CCleaner contained a second payload that was only installed on about twenty computers at eight tech companies.

Adobe, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2017

September 12, 2017 jrivett Leave a comment

This month’s updates from Microsoft include a patch for a nasty zero-day vulnerability in the .NET framework.

The announcement for this batch of updates is of course just a link to the Security Update Guide, where it’s up to the user to wade through piles of information and determine what’s relevant.

Here’s what I’ve been able to glean from my explorations: there are ninety-four updates, affecting Internet Explorer, Edge, Windows, Office, Adobe Flash Player, Skype, and the .NET Framework. A total of eighty-five vulnerabilities are addressed, twenty-nine of which are flagged as Critical.

As you may have guessed, this month we also have yet another new version of Flash. Microsoft included the new version in updates for Edge and Internet Explorer, and Chrome will get the new version via its internal auto-updater. Desktop Flash users should visit the main Flash page to get the new version. Flash 27.0.0.130 addresses two critical vulnerabilities in previous versions.

boot13