Updates 2019-08-13

Hi, Folks!

Today is Patch Tuesday for August 2019 and it’s huge. It was a pretty big month for security news, too.

This month demonstrates several points I’ve been making for years:

1) Often the addition of yet another antivirus actually weakens your security. With Windows Defender scoring a perfect 100 there’s no good reason to install one of the “free” or even paid alternatives. Remember that there are only three parties to an exchange: the vendor, the customer, and the product. If you’re not selling or paying for a service, you’re the product.

2) Everything will be hacked eventually. Capital One and Binance demonstrate that even those tasked with the highest levels of security can be bribed or make mistakes, and since all encryption is weighted only by time and resources that are becoming ever-cheaper, assume anything you share will inevitably be compromised, even if you didn’t put it online yourself.

3) It isn’t just computers and phones that can be hacked. Everything from cameras, to airplanes, to Navy destroyers, and much more are also vulnerable.

4) The gatekeepers of “reasonable” vulnerability disclosure are as responsible as anyone else for zero-day exploits being exposed.

That’s enough horror stories for now. Let’s get back to our regularly scheduled program. The typical computer should see roughly 3 GB in updates today. Let’s get started.

Microsoft released updates for Windows, .NET, Edge, Internet Explorer, Flash, and MSRT (~2 GB). This includes security updates. TWO reboots are required.

Apple released updates for iOS 12.4, macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra, Safari 12.1.2, watchOS 5.3, tvOS 12.4, iCloud for Windows 7.13, iCloud for Windows 10.6, and iTunes for Windows 12.9.6. These are security updates. Use Apple Software Update to install the most current versions.

iOS 12.4 is a security update. Use Settings, General, Software Update to install the most current update.

watchOS 5.3 is a security update. Use the Watch app on your iPhone to install the most current version.

tvOS 12.4 is a security update. Use System, Software Update to install the most current version.

Google Chrome OS 76.0.3809.102 is a security update. Use Menu, Help, About to install the most current version. A reboot is required.

Adobe Flash Player 32.0.0.238 is a security update.
Win: https://12pd.com/click?flash
Win: https://12pd.com/click?flashie
Mac: https://12pd.com/click?flashmac

Don’t forget to check your mobile devices, too! Many updates will also apply to your tablet, phone, kindle or television – so check your device-appropriate App Store and install updates.

Important Notes

Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.

The now-current release of Windows 10 (1903) will cause your computer to feel unusually slow until it is installed. This is a side-effect of the Windows 10 upgrade cycle, which pushes out 3-6 GB through Windows update to get you to the latest Windows 10 release every 6 months. If you don’t let it finish and you’re on a slow connection, it will kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.

Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.

It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need or use, reducing the attack surface.

Also note that using the applications own “check for updates” function, when available, will best preserve your current settings, and often avoid any crapware that might come with a fresh installer. Use this option if it’s available to you.

Finally, if you’re sick of doing this all yourself, let me! Call or email me any time, and we can set you up with subscription SaferPC updates which will be installed each month whenever necessary. Click, call or email for more details:
https://saferpc.info/updates/
209-565-12PD
shawn@12pointdesign.com

Driver Updates

If you’re using this hardware – these updates are for you.

Display Driver Uninstaller 18.0.1.7 resolves bugs. This is not a security update.
https://www.wagnardsoft.com/display-driver-uninstaller-ddu

nVidia 431.60 is a security update.
https://www.nvidia.com/Download/index.aspx?lang=en-us

BullZip PDF Printer 11.10.0.2761 adds print redirection and improves compatibility. This is not a security update.
https://www.bullzip.com/products/pdf/info.php#download

Crucial Storage Executive 5.02 doesn’t provide a changelog so should be treated as a security update.
https://www.crucial.com/usa/en/support-storage-executive

Intel Driver and Support Assistant 19.7.30 resolves several bugs. This is not a security update.
https://www.intel.com/p/en_US/support/detect

Browser Updates

One or more of these are likely to be of interest to everyone.

Google Chrome 76.0.3809.100 is a security update. Use Menu, Help, About to install the most current version.

Firefox 68.0.1 is a security update. Use Menu, Help, About to install the most current version.

Vivaldi 2.6.1566.49 is a security update. Use Menu, Help, About to install the most current version.
https://vivaldi.com/

Email Updates

One or more of these are likely to be of interest to everyone.

OutlookAttachView 3.25 adds search-in-attachments option. This is not a security update.
https://www.nirsoft.net/utils/outlook_attachment.html

Thunderbird 60.8.0 is a security update. Use Menu, Help, About to install the most current version.

Internet Updates

One or more of these are likely to be of interest to everyone.

Trillian 6.2.0.11 resolves several bugs. This is not a security update.
https://www.trillian.im/

Trillian Mac 6.2.0.18 resolves several bugs. This is not a security update.
https://www.trillian.im/

BrowsingHistoryView 2.21 adds option to use local time for time range. This is not a security update.
https://www.nirsoft.net/utils/browsing_history_view.html

FileZilla Client 3.44.1 resolves several bugs, adds search to Site Manager, and adds warnings to insecure connections. This is not a security update.
https://filezilla-project.org/

FreeFileSync 10.14 enforces TLS for all endpoints and resolves several bugs. This should be considered a security update.
https://www.freefilesync.org/download.php

MaxMind GeoIP 201908 is a data refresh.
https://dev.maxmind.com/geoip/

Nmap 7.80 includes an updated Npcap, adds NSE scripts and resolves several bugs. This is a security update.
https://nmap.org/

Npcap 0.9982 is a security update.
https://nmap.org/npcap/

PuTTY installer 0.72 resolves several bugs. This is a security update.
https://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

WinSCP 5.15.3 resolves several bugs. This is a security update.
https://winscp.net/eng/index.php

Media Updates

These are unlikely to be of interest to most people.

iTunes 12.9.6 is a security update.
https://www.apple.com/itunes/download/

Game Updates

These are unlikely to be of interest to most people.

Lego Digital Designer 4.3.12 doesn’t provide a changelog so should be treated as a security update.
https://www.lego.com/en-us/ldd

Steam 2019.08.06 resolves several bugs. This is a security update. Use Steam to update Steam.

PlayStation PS4 6.72 improves performance. This is not a security update.
https://www.playstation.com/en-us/support/system-updates/ps4/

RetroPie 4.5.1 improves compatibility with RPI4 and reverts the kernel to improve stability. This is not a security update.
https://retropie.org.uk/

SteamOS Installer 2019-07-17 is a security update.
https://store.steampowered.com/steamos/download/?ver=custom

Office Updates

One or more of these are likely to be of interest to most people.

Atom 1.40.0 resolves several bugs. This is not a security update.
https://atom.io/

Artweaver 7.0 improves brush handling, simplified presets, Windows Ink Pen support, improved update, and resolves several bugs. This is not a security update.
https://www.artweaver.de/

Krita 4.2.5 resolves several bugs. This is not a security update.
https://krita.org/en/download/krita-desktop/

LibreOffice Still 6.2.5 is a major update to LibreOffice Still, and adds several features and improved stability. This is not a security update.
https://www.libreoffice.org/

LibreOffice Fresh 6.3.0 is a major new release with improved integration, performance improvements, and many new features. This is not a security update.
https://www.libreoffice.org/

Paint.net 4.2.1 adds HEIC and JPEG XR support, resolves several bugs. This is not a security update.
https://www.getpaint.net/

Adobe Creative Cloud Desktop 4.9 is a security update.
https://www.adobe.com/creativecloud/catalog/desktop.html

Adobe Photoshop CC 19.1.9 is a security update. Use Creative Cloud Desktop to install the most current version (after patching the security issues in Creative Cloud Desktop).

Adobe Photoshop CC 20.0.6 is a security update. Use Creative Cloud Desktop to install the most current version (after patching the security issues in Creative Cloud Desktop).

Adobe Experience Manager hotfix 30379 is a security update for AEM 6.4 and 6.5.
6.4: https://www.adobeaemcloud.com/content/companies/public/adobe/packages/cq640/hotfix/cq-6.4.0-hotfix-30379
6.5: https://www.adobeaemcloud.com/content/companies/public/adobe/packages/cq650/hotfix/cq-6.5.0-hotfix-30379

Adobe Acrobat DC 2019.012.20036 is a security update. Use Help, Check for Updates to get the most current version.

Adobe Acrobat Reader DC 2019.012.20036 is a security update. Use Help, Check for Updates to get the most current version.

Acrobat 2017 2017.011.30144 is a security update. Use Help, Check for Updates to get the most current version.

Acrobat Reader DC 2017 2017.011.30144 is a security update. Use Help, Check for Updates to get the most current version.

Acrobat DC 2015.006.30499 is a security update. Use Help, Check for Updates to get the most current version.

Acrobat Reader DC 2015.006.30499 is a security update. Use Help, Check for Updates to get the most current version.

Adobe Prelude CC 8.1.1 is a security update. Use Creative Cloud Desktop to install the most current version (after patching the security issues in Creative Cloud Desktop).

Adobe Premiere Pro CC 13.1.3 is a security update. Use Creative Cloud Desktop to install the most current version (after patching the security issues in Creative Cloud Desktop).

Adobe Character Animator CC 2.1.1 is a security update. Use Creative Cloud Desktop to install the most current version (after patching the security issues in Creative Cloud Desktop).

Adobe After Effects CC 16.1.2 is a security update. Use Creative Cloud Desktop to install the most current version (after patching the security issues in Creative Cloud Desktop).

Security Software Updates

One or more of these is likely to be of interest to most people.

QubesOS 4.0.2 updates kernel and TemplateVM components. This is not a security update.
https://www.qubes-os.org/downloads/

Java 8u221 is a security update. If you’re not 110% sure you need Java, remove it instead.
https://www.java.com/en/download/manual.jsp

Gpg4win 3.1.10 resolves a security bug.
https://www.gpg4win.org/download.html

RogueKiller 13.4.2 resolves several bugs. This is not a security update.
https://www.adlice.com/softwares/roguekiller/

RouterPassView 1.86 adds support for additional hardware. This is not a security update.
https://www.nirsoft.net/utils/router_password_recovery.html

TinyWall 2.1.11 improves compatibility and resolves several bugs. This is not a security update.
https://tinywall.pados.hu/

Capture Updates

These are unlikely to be of interest to most people.

SnagIt 2019.1.3 is a security update.
https://download.techsmith.com/snagit/enu/snagit.exe

Converter Updates

These are unlikely to be of interest to most people.

Stop using CDex. CDex now includes malware as part of the installation, so should be treated as untrustworthy. Even if the accessory malware is removed, any developer willing to include malware should be assumed to be malicious and the core software likely has many other security issues and should be avoided completely. Again, remove CDex.

DVDFab 11.0.4.2 adds support or new encodings, improves compatibility, greatly improves subtitle parsing. This is not a security update.
http://www.dvdfab.cn/download.htm

FFmpeg 4.2 is a new major build, adding many filters and decoders and improving performance. This is not a security update.
https://ffmpeg.org/download.html

Education updates

One or more of these are likely to be of interest to most people.

e-Sword 12.0 adds themes and low-light display support, and makes hundreds of other refinements and bug fixes. This is not a security update.
https://www.e-sword.net/

Utility Updates

These are unlikely to be of interest to most people.

RoboForm 8.6.0 resolves several bugs. This is not a security update.
https://12pd.com/click?rf

1Password for Mac 7.3.2 improves stability. This is not a security update.
https://1password.com/downloads/mac/

Bitcoin 0.18.1 adds new features, resolves bugs, and improves performance. This is not a security update.
https://bitcoin.org/en/download

BulkFileChanger 1.65 adds support for changing timestamps within mp4 and mov files. This is not a security update.
https://www.nirsoft.net/utils/bulk_file_changer.html

DesktopOK 6.45 adds uninstall and resolves several bugs. This is not a security update.
https://www.softwareok.com/?seite=Freeware/DesktopOK

GoodSync 10.10.5 resolves several bugs and changes licensing behavior (again).
https://12pd.com/click?goodsync

IsMyHdOK 1.81 improves support for newer hardware. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/IsMyHdOK

NirCmd 2.86 resolves a bug with the elevate command. This is not a security update.
https://www.nirsoft.net/utils/nircmd.html

NTLite 1.8.0.7080 updates components and improves compatibility. This is not a security update.
https://www.ntlite.com/download/

OSFMount 3.0.1005 adds physical/logical emulation options and resolves a bug. This is not a security update.
https://www.osforensics.com/tools/mount-disk-images.html

OSForensics 7.0.1001 adds many new features and resolves bugs. This is not a security update.
https://www.osforensics.com/download.html

PointerStick 3.66 resolves a bug. This is not a security update.
https://www.softwareok.com/?seite=Freeware/PointerStick

Rufus 3.6 adds support for persistent partitions, improves compatibility, and resolves several bugs. This is not a security update.
https://rufus.ie/en_IE.html

SearchMyFiles 3.01 adds option to prevent saving search options and support for searching within Office and PDF files. This is not a security update.
https://www.nirsoft.net/utils/search_my_files.html

SimpleWMIView 1.38 improves refresh behavior. This is not a security update.
https://www.nirsoft.net/utils/simple_wmi_view.html

TaskSchedulerView 1.51 adds a new column to indicate whether device will be awakened to run task. This is not a security update.
https://www.nirsoft.net/utils/task_scheduler_view.html

TraceRouteOK 1.44 resolves a bug. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/TraceRouteOK

WinScan2PDF 4.93 improves WIA and resolves several bugs. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/WinScan2PDF

WSUS Offline 11.8 updates static URLs, servicing stacks and improves compatibility. This is not a security update.
http://download.wsusoffline.net/

Developer Updates

These are unlikely to be of interest to most people.

Android Studio 3.4.2.0 resolves several bugs. This is not a security update.
https://developer.android.com/studio/index.html

MySQL 8.0.17 resolves several bugs and adds several new features. This is not a security update.
https://www.mysql.com/downloads/installer/

Node.js 12.8.0 resolves dozens of bugs. This is not a security update.
https://nodejs.org/en/

Redemption 5.21.0.5378 adds RDOFolders and appointment exception removal/undo support as well as resolving several bugs. This is not a security update.
http://www.dimastr.com/redemption/

SQLite 3.29.0 adds several new features. This is not a security update.
https://www.sqlite.org/download.html

TortoiseSVN 1.12.2 resolves several bugs. This is not a security update.
https://tortoisesvn.net/downloads.html

Visual Studio Code 1.37 adds several new features and improvements. This is not a security update.
https://code.visualstudio.com/

WinMerge 2.16.4 resolves several bugs. This is not a security update.
https://winmerge.org/

Virtual Machine Updates

These are unlikely to be of interest to most people.

VirtualBox 6.0.10-132072 resolves several bugs. This is not a security update.
https://www.virtualbox.org/wiki/Downloads

Web Package Updates

These are likely to be of interest only to web developers.

ScreenConnect 19.2.24707.7131 resolves several bugs. This is not a security update.
https://www.connectwise.com/software/control/download

phpList 3.4.5 resolves several bugs. This is not a security update.
https://www.phplist.com/download

Drupal 8.7.6 resolves several bugs. This version follows quickly on the heels on 8.7.5, which is a security release.
https://drupal.org/download

Joomla 3.9.11 is a security update.
https://www.joomla.org/

MailEnable 10.26 resolves several bugs. This is not a security update.
https://www.mailenable.com/

Adminer 4.7.2 resolves several bugs. This is not a security update.
https://www.adminer.org/en/

BuddyPress 4.4.0 is a security update.

Contact Form 7 5.1.4 resolves several bugs. This is not a security update.

myStickymenu 2.2.1 improves compatibility. This is not a security update.

Postie 1.9.38 resolves an attachment filtering bug. This is not a security update.

Redirection 4.3.3 resolves bugs and improves compatibility. This is not a security update.

WooCommerce 3.7.0 resolves dozens of bugs, and provides feature, compatibility, and performance improvements. This is not a security update.

WP Add Custom CSS 1.1.5 replaces code editor. This is not a security update.

WP Mail SMTP 1.5.2 resolves a Gmail compatibility bug. This is not a security update.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

 

Conventional Wisdom on Solid-State Drives

Every time I post about solid-state drive’s (SSDs) there’s always a nay-sayer warning about their “short life” and limited usability. It’s a huge misunderstanding of SSD wear-leveling and endurance to assume that a thousand program/erase (PE) cycles somehow implies that the drive is of less persistent value than a conventional drive. This is wildly inaccurate.

The Old Way

Conventional drives store their information on revolving platters and use magnetic arms to read and assign magnetism to specific locations on each platter. The arms are fragile. The movement of the platters is subject to environmental forces. A drop of only a fraction of an inch can toast your conventional drive. An hour in the car in front of Starbucks or the moisture that makes it through your laptop bag when walking between classes in the rain can kill it. Some are even faulty by design (planned obsolescence) or even if they’re not, can suffer from a random failure at any point in their life from dust or exposure to magnetism or even sunlight. This is the fatal flaw with moving parts. In any entropic system stuff will inevitably go wrong. The endurance you hope for is that gamble that it either won’t be you, or at least it won’t be now.

There have been dozens of studies of both conventional and solid-state drives. Most studies on conventional drives essentially conclude that some are better than others, but that they will all fail randomly at some point. Unfortunately, when it comes to conventional drives there’s really no guaranteed way to know how long your specific drive is going to last.

Even with the best SMART data you can never really plan for when the conventional drive is going to fail. You can look at the brand or model and estimate in months or years, but actual operational time will vary even between devices from the same factory made at the same time in the same room. You just can’t plan for it.

New Tricks

Solid-state drives, however, do not suffer from the randomness of not being able to know for sure if the drive will even survive it’s first year. Due to their lack of vulnerable moving parts, vastly improved tolerances and predictable wear-leveling values, they have a calculable life that can not only be guessed, but very effectively planned and measured. You can pro-actively track with the drive’s own self-diagnostics in order to identify, if not the very hour, at least the week that your SSD will no longer be able to be written to (the data will usually still be readable).

SSDs provide several measures of their PE values to determine drive longevity. TBW and DWPD are basically different faces of the same number of writes before the drive will begin to fail. This can be measured in hours or bytes, but the meaning is consistent between presentations: if each block can be written 1100 times (which is a pretty close approximation based on current market values) then a 250GB drive could have 275TB written to it during its reliable life. A 960GB drive would be able to have just over 1PB (petabyte) written during its reliable life. If you measure the actual writes to your current drive over a couple months (with PerfMon or SMART) you can see exactly how long it would take you to consume that amount. The drive won’t exactly crash and burn on that day, it will just fall out of the vendor-tested effectiveness in a “how many licks does it take to get to the center of a Tootsie Pop” way. Many SSDs will safely write twice as much data or more. You know, as long as you don’t bite into it. 😉

SMART

Every drive for the last 20+ years has supported some level of self diagnostics (SMART), but the detail provided by SSDs is fantastic. SMART provides potentially hundreds of flags to identify, track, and observe various drive usage and diagnostic information. SSDs provide self-diagnostics through SMART that enables you to see their actual writes, reads, and life. Get an SSD and use it a couple months, and you can effectively estimate its life for your actual usage.

For example, my current C: is a 240GB Kingston SSD. As of the writing of this article the drive has been in use for 937 days (2.57 years), and has only been restarted 72 times (roughly twice per month – usually for software updates or installation). It’s written 18,925 GB (<19 TB) in that time, which is about 20.2 GB/day. With the magic 1100 PE number we can safely assume it’ll be able to write about 264 TB in its life. This means that this drive will likely survive another 33 years at my current usage. Give or take.

Now it should be noted that I’m not the typical person, and I do tune the crap out of my hardware (and the hardware of my clients) to ensure we get both the best experience and the best value out of our hardware. I’m not a gamer, but I run more varied applications and services than anyone I know, keeping a lot in RAM and minimizing page file usage to prevent unnecessary writes. This is to say that the typical person with a stock install may only get a “mere” ten to fifteen years out of similar SSD – for a computer where most of the rest of the hardware will be unsupported in 10 years. Task-based users (email + web + Word) could get centuries out of it if tuned properly. Hardcore gamers may only get a couple years, but they will be fantastic years.

I love the performance of my SSD, but believe me when I say I hope I am not still using this drive as my C: drive in 30 years. New developments are made every year and I plan to offload this one into one of my workhorses when I upgrade my primary rig. 🙂

True Wisdom

Should everyone use an SSD as their operating system drive? Yes. Should it be used for everything? No. You wouldn’t haul manure in a Porsche 911, would you?

I use SSDs in all my computers, but for some tasks I use conventional drives as well. I even use a few drives I know are defective but that have great caching capabilities. For example, I do a lot of video transcoding – converting and resampling video to improve quality and performance. This can write as much as 2 terabytes per day on one of my machines. That would kill my Kingston SSD in just over 4 months, so for these I use cheap conventional drives that are disposed of when they inevitably fail. The SSD runs the apps, but the conventional drive acts as a read/write canvas for transcoding. It works very well. But why don’t I just use an SSD anyway – they’re faster, right? Because the performance for video transcoding with FFMPEG is capped at the speed of the CPU anyway, so it’s never going to be bottlenecking at a disk read or write operation on a conventional drive, making use of an SSD a waste of valuable resources.

The choice is yours, of course, but don’t base your decision on whether to buy a solid-state drive on uneducated FUD.

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

New Year, New Fears: Meltdown and Spectre

Happy New Year!

By now you’ve heard about Meltdown and Spectre, the two new CPU vulnerabilities that are getting 24/7 airtime on every news channel.

This is going to really hurt Intel, as it essentially means that a 2 GHz processor is going to effectively run at 1.4 GHz after it’s patched. A 4 GHz processor is going to effectively run at 2.8 GHz. That’s the kind of performance hit that hard-core gamers and industry professionals are waking up to today, and will encourage many to consider alternative CPUs in the future. Unfortunately, while the one issue (Meltdown) only applies to Intel CPUs the other one (Spectre) affects almost every CPU that has been tested.

Meltdown and Spectre are two separate design flaws in the CPUs that mismanage how access to memory handles are controlled. Older hardware and operating systems will never be patched to address these vulnerabilities, and the patches that are currently being pushed for the Intel (Meltdown) flaw have a very high failure rate (as much as 20% for some hardware) often resulting in unbootable devices. My advice is to wait a few days for other people to be the guinea pigs, then install the updates after you get the all clear.

Neither of these affects only Windows. The vulnerabilities are hardware-based, but the current workarounds for them are being pushed into the operating systems to prevent them from being abused.

Meltdown affects every Intel CPU available today, which means that while many Windows computers are affected, every supported Mac is impacted (they’re all using Intel CPUs), and phones and other devices that use Intel chips are vulnerable as well.

Spectre affects just about everything. If your vendor isn’t supporting the device anymore, it will never be patched and the device can never be secured. Every computer hosting every website is affected. Every server. Every phone, tablet, desktop and laptop in the world is affected by at least one of these vulnerabilities. It seems that the only devices immune are certain security devices (dongles) or devices with very limited capabilities. If it can run software, it’s vulnerable.

If you’re a stock market enthusiast this is a good time to invest in mobile hardware vendors – wait a week or so for people to start bailing out in fear and the price to drop. Then buy their ignorance and in a year you’ll be thanking me. There may not be an immediate return, but as chips are released in the next 8-18 months that resolve these problems, security-minded companies and governments will be buying in bulk to replace every single device they currently employ. Talk about a huge surge in purchases later this year. 🙂

I don’t put a lot of stock in what anyone from the government says, so I will defer to the Intel VP who says that the “unfixable” Spectre flaw can be resolved with a firmware update on most supported devices. I assume the same is true for other vendor chips affected by Spectre. Unfortunately, this means it’s still going to be a long-tail fix, since firmware updates can take months to be released for each supported chip and years to be fully addressed, and unsupported hardware will never be fixed. The Intel SA-00086 vulnerability (initially reported in February 2017), for example, which impacts the last 4 full generations of Intel CPUs still has not received patches for most currently supported hardware. Likewise, it’s quite unlikely that Spectre will be fully addressed on existing supported hardware within the next couple years.

Replacing your device isn’t a solution, either, since hardware that isn’t vulnerable simply doesn’t exist yet. We need to hope that operating system vendors will correctly and fully address these problems on current hardware in the very near future.

Now for the good news

If you’re maintaining your devices – installing operating system, application and driver updates, and you’re removing outdated and unused software, and you’re not installing untrusted third party applications that are either unmaintainable or unsecureable, and you have not been installing “bad” programs (warez, fake, or malicious) – then your computer is really at no greater risk today than it was last week. Both of these vulnerabilities require an evil application to be run on your device to be exploited. They are not remote exploits that automatically bypass the other security precautions you may have in place (unlike SA-00086). Remove everything you don’t want or need on your device, don’t install untrusted apps, don’t ever click “yes” in a popup without reading it and understanding the implications, and you’ll probably be OK. Really.

For anyone else that’s not already using my service: If you don’t want to do this all by yourself – let me.

KRACK Attacks: Protocol Insecurity

The KRACK Attacks are a great example of why updates are important. Wireless networking has been around over 45 years with many encryption and security layers being adapted over that time. The variation most commonly in use today, Wi-Fi with WPA2, is about 13 years old. Thousands of people have reviewed the protocol documents. Vendors across the world have implemented the protocol as it was designed and it is in active daily use on billions of devices (yes, billions with a “b”). However, a relatively minor flaw in the design of the greeting/handshake allows an evil third party to essentially hijack any Wi-Fi network.

At least 6 months ago a series of vulnerabilities in all wireless protocols (including the most secure current wireless protocol, WPA2) were discovered that allowed for an evil third-party in range of your Wi-Fi network connection to emulate it and hijack your access to the connection to be able to siphon or change information between you and the Internet. These vulnerabilities also make it possible to intercept and alter “secure” traffic (such as HTTPS encrypted connections) by way of it’s MitM scope on some networks and devices.

Every vendor’s hardware that was tested was found to be vulnerable. The thing is, if they obeyed the protocol it would literally be impossible not to be vulnerable.

Several months ago the person that discovered the issue contacted different vendors to alert them of the problems and they are actively coordinating security updates this week to address them. FreeBSD patched it months ago. Microsoft patched it last Tuesday. Some Android devices have been patched over the last couple weeks, while others may never be. Security updates for ChromeOS should be released next Tuesday. Apple’s patch for iOS, macOS, tvOS and watchOS is planned for release “soon,” but every version of macOS and iOS are affected and not all are still supported (in other words – only some Apple devices will receive patches). Hardware vendors are gradually releasing updates for supported devices.

What should you do?

Patch or replace your hardware. All of your hardware: your routers, modems, phones, tablets, laptops, desktops that have Wi-Fi support, even your light bulbs and irrigation systems.

If a patch is not currently available for your hardware, hound the vendor until it is, or replace/avoid that hardware (and vendor).

If your hardware is no longer supported by the vendor you will not receive security updates to address this vulnerability. Most hardware still in use today is beyond it’s support period (aka “end of life/EOL”), so will never receive a security update to address this vulnerability or any other. Really. It’s probably time to replace that “perfectly good” wireless router you picked up “only 5 years ago” at a “helluva bargain” that “still works.” It’s annoying, but important to check the vendors site when purchasing hardware to ensure that it’s supported by them. Most vendors support their hardware only 5 to 10 years after a modem was initially released. Most people buy hardware at least half-way through this period, significantly reducing the applicable support period.

Always use TLS/SSL. If the sites you visit don’t support HTTPS, don’t use them or at least contact their webmasters to request HTTPS support.

Avoid wireless connections. Yes, really. Even if this had never occurred, understand that every wireless network is inherently insecure. Emulating your network the way the KRACK Attack operates is only one way to hijack it. There are many other risks in all forms of networking, from old, insecure, and unsupported network equipment that can be easily compromised to unmaintained and unsecureable hardware that joins the network. While a wired network generally contains all traffic within the cables that make up the network, a wireless network, by definition, broadcasts all network traffic for any evildoer within range to capture and record. While they may not be able to exploit that encrypted information today, it’s likely that similar vulnerabilities will be discovered that allow them to decrypt and abuse that information sometime in the future. Avoiding wireless connections reduces this risk.

I thought this only affected my router?

No. This vulnerability is a protocol-level issue, which means that every single wireless device in the world that was designed to obey the protocol is impacted. All of them. Patch or replace.

Many protocols have weaknesses that are eventually addressed with minor and sometimes major changes. SMTP – the protocol used to send email – didn’t require any form of authentication at any level for over 20 years! The geeks that think this stuff up are awesome, but we can’t anticipate everything.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

 

Why you should delay iOS upgrades

Today is September 9th, 2017 and iOS 11 was released! Yay! This version has several new features that Apple fanboys are going gaga over. It’s exciting, it’s new, and in about a month you should install it on your device. For years I have advocated that major iOS upgrades should be delayed at least 3 weeks. Why? Math.

This simple timeline demonstrates Apple’s history with patches for iOS upgrades:

1.0.1 was released 32 days after 1.0.0. It was a security update.
1.1.1 was released 13 days after 1.1.0. It was a major stability update.
2.0.1 was released 14 days after 2.0.0. It was a major stability update.
2.1.1 was released 3 days after 2.1.0. It was a security update.
3.0.1 was released 44 days after 3.0.0. It was a security update.
3.1.1 was released the same day as 3.1.0. It was a security update.
3.1.2 was released 29 days after 3.1.1. It was a major stability update.
4.0.1 was released 24 days after 4.0.0. It was a major stability update.
4.3.1 was released 16 days after 4.3.0. It was a security update.
5.0.1 was released 29 days after 5.0.0. It was a security update.
5.1.1 was released 61 days after 5.1.0. It was a security update.
6.0.1 was released 61 days after 6.0.0. It was a security update.
6.1.1 was released 9 days after 6.1.0. It was a major stability update.
7.0.1 was released 1 day after 7.0.0. It was a security update.
7.0.2 was released 7 days after 7.0.1. It was a security update.
7.1.1 was released 43 days after 7.1.0. It was a major stability update.
8.0.1 was released 7 days after 8.0.0. It was a security update – and was so bad they pulled it.
8.0.2 was released 1 day after 8.0.1. It was a major stability update.
8.1.1 was released 28 days after 8.1.0. It was a security update.
8.4.1 was released 44 days after 8.4.0. It was a security update.
9.0.2 was released 14 days after 9.0.0. It was a security update.
9.2.1 was released 133 days after 9.2.0. It was a security update.
9.3.1 was released 10 days after 9.3.0. It was a major stability update.
10.0.2 was released 10 days after 10.0.0. It was a stability update.
10.1.1 was released 7 days after 10.1.0. It was a security update.
10.2.1 was released 42 days after 10.2.0. It was a security update.
10.3.1 was released 7 days after 10.3.0. It was a security update.

11.0.0 was released today. How long do you think it will be before they release their mandatory security update?

With history as our guide, we can safely assume it’s going to be roughly 26 days before they release whatever security update is required of the first major release of iOS 11.

Looking at the numbers we can also see that fixes for major updates are released on average 21 days after the initial major version (n.0.x), where minor version fixes average closer to 30 days after the release of the minor version (n.n.x). If we remove the outlier (9.2.1) because it’s over 4 months and double any other period, the averages become 20 days for serious patches to major updates and 22 days for serious patches to minor updates. Again: 21 days – three weeks – becomes the minimum average for your safety.

That means you should expect a security update for iOS 11 around October 10th, 2017. Be patient. The privacy you save will be your own.

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/