Chrome 59.0.3071.86

With thirty security fixes in Chrome 59.0.3071.86, I would expect Google to emphasize the need for users to update as soon as possible. Instead, the release announcement says “This will roll out over the coming days/weeks.” Presumably Google feels that the fixed security issues are too obscure to represent any imminent threat.

To be fair, personal experience has shown that Chrome is great at detecting updates, often very soon after they become available. Visiting the About page is usually enough to trigger an update. Click the three-vertical-dots menu button, then choose Help > About.

If you have several hours to kill, you might want to check out the change log for Chrome 59.0.3071.86, which by my count contains 10,911 entries.

Google’s new Chrome ad blocker raises questions

Google is giving web advertisers until the end of the year to comply with the standards set by the Coalition for Better Ads, after which a new ad-blocker in Chrome will start blocking non-compliant ads.

This raises some interesting questions.

Google is the biggest provider of advertising services on the web. Will Google block ads from its own platform if they don’t meet the new standards? That scenario, while interesting to ponder, is unlikely to occur, since Google’s ad creation tools will presumably prevent it.

If Google’s ads are unlikely to be blocked, won’t this be viewed as anti-competitive behaviour by other advertisers? Google will point to the independent standards set up by the CBA, but will that be enough? Less-reputable advertising providers — those allowing the sorts of ads Google wants to block — stand to lose significant revenue. These days it doesn’t take much to trigger a lawsuit, and Google is a favourite target for litigation, because it has enormously deep pockets.

From the user perspective, Chrome’s new ad blocker will be purely beneficial. Opera already has a built-in ad blocker, and it’s likely that the other major browser makers are working on similar features. But there are weird times ahead for Google.

More bungled Windows updates

If you’re on the Windows Insider program — the one that gets you early looks at where Windows 10 is heading — you may have noticed some unusual updates in the last day or so.

First, a new development version of Windows 10 was rolled out to some unlucky users. This version was not intended for users, even those on the Insider Preview program. Microsoft caught the error and stopped the update, but if your computer was affected, you may notice some new “issues that impact usability of your PC.” You can roll back to the previous release, or live with any new issues until the next release.

Second, a development version of the mobile variant of Windows 10 was pushed out, again unintentionally. If your mobile device received this unfortunate update, it’s probably no longer usable. Microsoft recommends using their Windows Device Recovery Tool to fix the problem.

Microsoft wants us all to trust them to install updates whenever they want, but mistakes like these are not helping.

Ars Technica has more.

Google improves GMail security

I’ve tried other search services, but I always end up back at Google, because the search results are consistently better. Google does collect information about its users, and uses that information to target advertising. Google also looks at the content of GMail messages for the same reason. If that bothers you, there are ways to prevent it, or you can stop using Google’s products and services.

That said, in all my years of using Google’s services, I’ve never encountered anything that made me want to stop using them. Google does occasionally annoy me by dropping services like Reader, and Google’s advertising is ridiculously overpriced, but on balance the company provides far more benefit than any potential harm.

For example, Google spends enormous amounts of time and resources on making the web safer for everyone. Much of that effort goes unheralded, but occasionally we catch glimpses in the form of blog posts, like this one, describing recent improvements to GMail security. Compare that with Yahoo’s recent track record, which clearly shows that user security and privacy are not a priority at that company.

Opera 45.0.2552.812

An Opera release somehow got past my “infallible” system for not missing anything important. Back to the drawing board I guess.

The Opera users among you probably noticed the browser having trouble disengaging itself from the Windows taskbar lately. Opera 45.0.2552.812, released on May 15, finally fixes this annoying issue. A handful of other minor bugs are addressed in the new version. None of the fixes are related to security.

Timeline: NSA hacking tool to WannaCry

A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:

2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.

EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.

August, 2016: The Shadow Brokers begin publishing their NSA haul on public services like Tumblr.

January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.

Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.

February 14, 2017: Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.

Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.

March 14, 2017: March’s Patch Tuesday updates from Microsoft include a fix for CVE-2017-0144, MS17-010. The update is flagged as Critical and described as Security Update for Microsoft Windows SMB Server (4013389). Nothing in Microsoft’s output on March 14 calls special attention to this update.

April 14, 2017: The Shadow Brokers release 300 megabytes of NSA material on Github, including EternalBlue.

May 12, 2017: WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.


It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.

Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.

Ars Technica’s analysis.

Techdirt’s analysis.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.