boot13A few minor issues were identified in the recently-released Vivaldi 1.8 (1.8.770.50), and addressed in yesterday’s release of Vivaldi 1.8.770.54. There’s no urgency about this update unless you’re affected by the problems described in the release announcement.
Vivaldi 1.8
The latest version of Vivaldi sports a reworked browsing history, and better control over audio, as well as several bug fixes. The release announcement lists all the changes. None of the changes appear to be related to security.
Vivaldi 1.8’s new history interface is a real improvement over what’s available in other browsers. Anyone who spends a lot of time reviewing their browsing history will appreciate the new calendar view.
Despite the improvements, I’d rather the Vivaldi development team spend their time fixing issues with the user interface. The sidebar bookmark editor is still weirdly difficult to use, and it’s also now apparently impossible to remove. There are still inconsistencies in the way links and bookmarks are handled, and the browser still lacks options that would allow complete control over whether links and bookmarks open in new tabs.
Update 2017Apr05: the full version number is 1.8.770.50.
Chrome 57.0.2987.133
Five security issues and a few dozen other bugs are addressed in Chrome’s latest release, version 57.0.2987.133. See the full change log for details. Chrome usually does a good job of updating itself, but you can prod it by clicking the ‘three dot’ menu icon and navigating to Help > About Google Chrome.
It’s probably a good idea to stop using LastPass right now
Password management tools are generally a good thing. Most of us have so many passwords now that remembering them all is difficult. While it’s tempting to use one or two passwords everywhere, this is generally viewed as a bad idea. Same goes for short or easy-to-guess passwords: bad idea.
I recommend using password management software that runs natively, on your computer. I personally use Password Corral, and have used Bruce Schneier’s Password Safe. Both store your password data on your computer, not on someone else’s computer (aka ‘the cloud’). Both are relatively basic in terms of functionality: they allow you to store all of your passwords securely; password data is encrypted and protected by a master password. They can also generate new, random passwords.
There are plenty of other password management solutions out there. Some of the most popular ones, like LastPass, provide more features and are easier to use, but there’s typically a cost. For instance, it would definitely be convenient if I could access my passwords from any computer. But if that means my password data is stored on the cloud somewhere, well, no thanks. The same goes for browser extensions that enter passwords automatically.
Which brings us to yesterday, when a Google Project Zero security researcher reported a serious vulnerability in the LastPass browser extension. With the extension enabled in your browser, a malicious web site could steal all of your passwords from the LastPass data files. Yikes. But wait, there’s more! If you’re also running the main LastPass software on your computer, a malicious web site could execute arbitrary code on your computer.
LastPass issued a response to this report, confirming the problem. Their advice to users is vague, but that’s actually a good thing: if they said too much, it could provide clues about the vulnerability to malicious hackers. But the message is clear: if you have to use LastPass, disable the Lastpass browser plugin:
Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved.
Interestingly, of the three recommendations provided, two are standard advice for anyone who uses the web: enable and use Two-Factor Authentication for sites and services that offer it; and be wary of phishing attempts.
Firefox 52.0.2
There’s another new Firefox release: 52.0.2. The new version fixes a few minor bugs, none related to security.
Firefox should update itself automatically to the new version, but there’s no particular urgency about this update, unless you’re affected by one of the bugs it fixes. See the release notes for details.
As usual, there was no announcement from Mozilla about Firefox 52.0.2. I learned about this one when Firefox offered to update itself.
Windows 10 cumulative updates hopelessly botched
Recently I noticed that my Windows 10 test PC wasn’t staying logged in. Every morning, despite not having logged out the day before, I was seeing the login screen. A bit of poking around in the Windows 10 settings showed that Windows was trying to install update KB4013429, rebooting to complete the install, failing to complete the install, and rolling back the changes. Rinse and repeat daily, since March 14.
Searching online, I immediately found other people experiencing this problem. No official solution from Microsoft, but plenty from other users, including what turned out to be the only thing that worked for many: a total reinstall of Windows 10.
One user pointed to an interesting tool, available in the TechNet Script Center, called Reset Windows Update Agent. (Note: this script was created and submitted by a non-Microsoft contributor, not by Microsoft.) Since I wasn’t getting anywhere looking for an official solution, I tried the tool’s main feature, which does indeed reset all things Windows Update. After rebooting, Windows successfully installed a few updates, then started to install ‘Cumulative Update for Windows 10 Version 1607 (KB4015438)’, which Microsoft issued on March 20 to address problems with KB4013429. But that update also failed to install, and now we’re back in our daily loop.
I considered contacting Microsoft about this, but then I remembered my previous encounters with Microsoft support, shuddered, and thought better of it. After all, Microsoft already knows my PC is having trouble installing this update, because of all the telemetry in Windows 10, right? If anything, they should be contacting me with a solution. Yeah, right. Like that would ever happen.
I really don’t want Microsoft to be in a position to make my life miserable, especially now that they can do that remotely, without my explicit consent, and usually without my knowledge. At a time when Microsoft should be showing us just how much they’ve learned about managing Windows updates, they seem to be getting worse.
I sympathize with anyone who tries to do anything productive with Windows 10. I only use it for testing and media playback, but even so, this is the end of the line for my relationship with Windows 10. I’ll be installing Linux Mint MATE next.
Update 2017Apr30: I decided to call Microsoft after all. I figured it was only fair to give them one last chance. The call was relatively painless; I was only on hold for a few minutes. The tier one support person I spoke with identified himself as such and was happy to escalate my problem to the next support tier once it became clear he couldn’t help. We arranged a callback from tier two support, which happened yesterday. Both support people I spoke with started by asking if they could start a remote session to the affected computer, which I declined in both cases. I understand being able to control a computer remotely makes support much easier, but I’m just not comfortable with the idea. The tier two guy confirmed that Microsoft knows about this problem and is working on it. He also confirmed that lots of people are reporting the same problem. Unfortunately, the only fix he could provide was to hide the troublesome update, so that it stops trying to install every day. The ability to hide updates exists in the classic Windows Update, but that feature was removed from Windows 10, so a special download was required. The Microsoft support article “How to temporarily prevent a driver update from reinstalling in Windows 10” includes a link to a tool called the Show or hide updates troubleshooter package. I downloaded and ran the tool, and it listed a few pending updates, including the most recent failing cumulative update. I hid that update, and so far so good: the computer no longer tries to install the update daily. According to the tier two support guy, when Microsoft finds a fix, they’ll include it with a subsequent cumulative update, and all will be well with the world. But in the meantime, my Windows 10 PC isn’t getting security updates. So it’s not much of a solution. Linux, here we come.
Windows Vista to be put out of its misery on April 11
I’m sure there are a few people out there still using Vista. It may even have a few fans, and maybe they’re sad about Vista’s impending trip to the back of the woodshed. But they’re crazy: Vista was a terrible O/S.
CERT’s announcement of Vista’s coming demise.
After April 11, Vista will no longer receive any updates from Microsoft, including security updates. Beyond that point, no Vista computer should be allowed to connect to the Internet.
Firefox 52.0.1
A single security fix is apparently the sole reason Mozilla released Firefox 52.0.1 on March 17. There was no announcement from Mozilla, but as usual, CERT picked up the slack with their own announcement. The release notes for 52.0.1 point to a related security advisory.
Firefox will offer to update itself over the next few days, but you can usually trigger an update by navigating to its About dialog (hamburger menu icon > question mark icon > About Firefox).
Chrome 57.0.2987.110
About twenty bug fixes and minor changes made it into the latest version of Chrome, 57.0.2987.110. None of the changes seem to be related to security. The announcement doesn’t mention anything about what changed, but the full change log — refreshingly small this time — lists all the changes in detail.
Vivaldi 1.7.735.48
A minor security issue in its installer prompted the release of Vivaldi 1.7.735.48 yesterday. The browser itself isn’t changed in this release – only its installer – but its version number was bumped up from 1.7.735.46 anyway. If you’re already running Vivaldi 1.7.735.46, there’s no need to update, and the browser won’t bother to update itself.