Updates 2021-12-14

Welcome back, Folks!

Today is Patch Tuesday for December, 2021. This month has been relatively mild, especially for the typical user. Businesses are facing some serious Christmas disasters including massive botnets targeting WordPress, Log4j, payment platforms, and state-run “passport” systems. Nevertheless, the grind continues.

This Month in Technology

ActMobile Networks (VPN), Alberta HealthAstoria Company LLC, thousands of AT&T Edgewater Networks devicesAtrafBay Village High SchoolBeaverhead County High SchoolBioPlus Specialty Pharmacy Services, LLCBitmartBrazilian Ministry of HealthBroward Public SchoolsBrussels Bru-VaxBureau VeritasCentral Depository Services LtdCalifornia Pizza KitchenCostcoCox CommunicationsDeKalb County School DistrictDelta-Montrose Electric AssociationDNA Diagnostics CenterEpiscopal Retirement ServicesEscambia County School DistrictEskenazi HealthEvanston Township High SchoolFlorida Heart AssociatesFrench-Public School BoardFrontier SoftwareGoDaddy Inc (and 123Reg, Domain Factory, Heart Internet, Host Europe, Media Temple, and tsoHost), GravatarHeadwaters Health Care CentreHealth Service ExecutiveHellman Worldwide LogisticsHikvision surveillance systemsHisar health departmentHPE, dozens of HP printer modelsHuntington HospitalIDC GamesIKEAIndonesian police, various Iranian gas stationsJohnson Memorial HealthKisters AGKMSPicoKronosLakeside SchoolLINE PayLewis and Clark Community CollegeMaryland Department of HealthManhasset School DistrictMicrosoft Exchange ServersMedsurant HealthMNG CargoNewfoundland and Labrador Health-Care SystemNordic Choice HotelsNorth Oklahoma County Mental Health CenterNortheastern UniversityNowiny Commune OfficeOld Pulaski Middle SchoolOne Community HealthOregon Anesthesiology Group, P.C.Pakistan’s National Database Biometric DataPanasonicPellissippi State Community CollegePlanned Parenthood Los Angeles, millions of PlayStation 5 devicesQNAP NAS devicesRedDoorzRideau Valley Health CentreRiverhead Central School DistrictRobinhoodS&R Membership ShoppingSanDisk SecureAccessSea Mar Community Health CentersShelley School DistrictSimon Eye Management, millions of Sky RoutersSonicWall SMA 100 VPNsSouth Australian GovernmentSouthern Ohio Medical CenterSPAR StoresSpotswood Public SchoolsStor-a-file LimitedStripchatSupernus Pharmaceuticals, Inc., Swire Pacific OffshoreTATATP-Link routersTrue Health New MexicoTulane University Medical CenterUlss 6 EuganeaUS defense contractorsU.S. State DepartmentUtah Imaging AssociatesVirginia’s Division of Legislative Automated SystemsVestasVolvoWaikato DHBYemeksepetiZa: Standard Bank, and Zoho ServiceDesk have reportedly been hacked this month.

A Tesla server outage prevented owners worldwide from unlocking their cars.

Another 5 hour outage at AWS caused problems for thousands of websites that depend upon the “reliability” of cloud services. Netflix, Ring, Amazon Prime Video, Amazon deliveries, and Roku were just a few affected sites and services.

Google Photos suffered from a bug for 10 days that damaged all downloads over 128 MB. They alerted their customers to the problem about a month after fixing the bug.

Instead of focusing on providing a more secure product, Apple is suing the NSO Group for developing malware that exploits vulnerabilities in Apple products.

Google, Apple and Samsung payment services exposed to provide unlimited access to digital wallets without authentication.

Grafana – used in thousands of applications for the gorgeous displays it can provide – has patched multiple critical security vulnerabilities. Expect vendors to play catch-up as they release updates that update their Grafana libraries.

Like Grafana, Log4j is another widely used engine across thousands of applications – mostly in corporate and enterprise applications. It’s been exploited in 40% of corporate networks globally, so far. It’s not just corporate risk – even Minecraft is vulnerable.

A massive series of attacks targeting managed WordPress websites has compromised at least 1.8 million sites so far. Merely patching the sites and removing unused and out-dated plugins and themes would have eliminated the risk here.

Now for the good news:

Alexa.com is finally being shut down after 25 years of misrepresenting the web.

Let’s Get Busy

Now back to our regularly scheduled program.

Patch Tuesday this month is smaller than it has been in months. The typical computer should see roughly 2 GB in updates today. Let’s get started.

Microsoft released updates for Windows, Edge, .NET, and MSRT (~1.5 GB). This includes updates for Windows Server 2008. This includes security updates. A reboot is required.

Apple released updates for macOS Monterey 12.1, macOS Big Sur 11.6.2, Security Update 2021-008 Catalina, iOS 15.2 and iPadOS 15.2, tvOS 15.2, watchOS 8.3, and watchOS 8.1.1. This includes security updates. Use Apple Software Update to install these updates. A reboot is required.

iOS 15.2 is a security update. Use Settings, General, Software Update to install the most current update.

iPadOS 15.2 is a security update. Use Settings, General, Software Update to install the most current update.

tvOS 15.2 is a security update. Use System, Software Update to install the most current version.

watchOS 8.3 and 8.1.1 are security updates. Use the Watch app on your iPhone to install the most current version.

Google Chrome OS 96.0.4664.77 is a security update. Use Menu, Help, About to install the most current version. A reboot is required.

Don’t forget to check your mobile devices, too! Many updates will also apply to your tablet, phone, kindle or television – so check your device-appropriate App Store and install updates.

Important Notes

Everything above this section should be checked by everyone on every computer. Chances are good that close to every single computer you touch will be affected by those updates. This is not the case with the items below, though you should still check each line item below to see if it applies to software you have installed.

The release of macOS Monterey (12.x) means that macOS Mojave (10.14) and older are no longer supported. If you can not install at least macOS Catalina (10.15) on your Mac then you should immediately remove it from the Internet and use it offline only. It will no longer receive patches or updates and can now no longer be secured.

The now-current release of the Windows 10 (v21H2) is very large so will take a long time to download on slower connections. Windows 10 pushes you to get the latest Windows 10 release every 6 months and only supports any consumer builds for 18 months. If you don’t let it finish and you’re on a slow connection, this process will kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.

The now-current release of the Windows 11 (v21H2) is very large so will take a long time to download on slower connections. Windows 11 pushes you to get the latest Windows 11 release every 6 months and only supports any consumer builds for 24 months. If you don’t let it finish and you’re on a slow connection, this process will kill your Internet performance forever. If you don’t have the bandwidth to download the bits, I’m happy to provide loaner USB drives to our local clients, or, if you prefer to have me mail it to you please contact me for information.

Windows 11 is still very young so I encourage you to wait a few more months before you consider switching to it.

Please remember that while I list many different applications within these updates, most people should ONLY install updates for a program if they already have a previous version of that program installed.

It is essential to maintain all the applications you have installed on your computer, but often you can minimize the time investment and the potential for exploitation simply by uninstalling software you do not need or use, reducing the attack surface. This includes “free” applications like Avast, OpenOffice, and games you do not actually play.

Also note that using the applications own “check for updates” function, when available, will best preserve your current settings, and often avoid any crapware that might come with a fresh installer. Use this option if it’s available to you.

Finally, if you’re sick of doing this all yourself, let me! Call or email me any time, and we can set you up with subscription SaferPC updates which will be installed each month whenever necessary. Click, call or email for more details:
https://saferpc.info/updates/
209-565-12PD
shawn@12pointdesign.com

Driver Updates

If you’re using this hardware – these updates are for you.

Citizen Driver 2021.3 adds support for over 430 hardware printer models and resolves several minor bugs. This is not a security update.
https://www.seagullscientific.com/support/downloads/drivers/citizen/download/

CognitiveTPG Driver 2021.3 adds support for over 430 hardware printer models and resolves several minor bugs. This is not a security update.
https://www.seagullscientific.com/support/downloads/drivers/cognitivetpg/download/

Logitech Options 9.40.86 adds support for new hardware and resolves several bugs. This is not a security update.
https://support.logi.com/hc/en-us/articles/360025297893

Logitech SetPoint 6.70.55 adds support for new hardware and resolves several bugs. This is not a security update.
https://support.logi.com/hc/en-us/articles/360025141274

Xerox Smart Start 1.6.28.0 adds support for newer drivers. This is not a security update.
https://www.support.xerox.com/en-us/content/143617

Zebra Driver 2021.3 adds support for over 430 hardware printer models and resolves several minor bugs. This is not a security update.
https://www.seagullscientific.com/support/downloads/drivers/zebra/download/

Browser Updates

One or more of these are likely to be of interest to everyone.

Brave 1.32.115 is a security update.
https://brave.com/

Google Chrome 96.0.4664.110 is a security update.
https://www.google.com/chrome/

Microsoft Edge 96.0.1054.53 is a security update.
https://www.microsoft.com/en-us/edge/business/download

Firefox 95.0 is a security update.
https://www.mozilla.org/en-US/firefox/new/

Firefox ESR 91.4.0 is a security update.
https://www.mozilla.org/en-US/firefox/organizations/all/

SeaMonkey 2.53.10.1 is a security update.
https://www.seamonkey-project.org/

Vivaldi 5.0.2497.28 is a security update.
https://vivaldi.com/

Email Updates

One or more of these are likely to be of interest to everyone.

Thunderbird 91.4.0 is a security update.
https://www.thunderbird.net/en-US/

Internet Updates

One or more of these are likely to be of interest to everyone.

AnyDesk 7.0.4 resolves several bugs. This is not a security update.
https://anydesk.com/en/downloads

AnyDesk for macOS 6.3.3 improves M1 compatibility. This is not a security update.
https://anydesk.com/en/downloads

curl 7.80.0 resolves over 100 bugs. This should be treated as a security update.
https://curl.haxx.se/windows/

Dropbox 136.4.4345 doesn’t provide a changelog so should be treated as a security update.
https://www.dropbox.com/

FileZilla Client 3.57.0 updates libraries and resolves several bugs. This is not a security update.
https://filezilla-project.org/

FreeFileSync 11.15 resolves several bugs and improves user interface and compatibility. This is not a security update.
https://www.freefilesync.org/download.php

Google Drive 54.0 improves compatibility and resolves several bugs. This is not a security update.
https://drive.google.com/start

Npcap 1.60 resolves over a dozen bugs and improves stability. This is not a security update.
https://nmap.org/npcap/

Syncthing 1.18.5 resolves several bugs. This is not a security update.
https://syncthing.net/

Telegram 3.3.0 adds media distribution controls, bot improvements and channel controls. This is not a security update.
https://telegram.org/

WinSCP 5.19.5 resolves several bugs and adds Google Cloud S3 API support. This is not a security update.
https://winscp.net/eng/index.php

Zoom 5.8.7.2058 adds many new features and resolves a dozen bugs, mostly with compatibility. This is a security update.
https://zoom.us/

Media Updates

These are unlikely to be of interest to most people.

3tene 2.0.19 improves compatibility with VRoid Studio and adds Leap Motion. This is not a security update.
https://en.3tene.com/

Plex Desktop 1.39.1.2763 resolves code signing. This is not a security update.
https://www.plex.tv/media-server-downloads/#plex-app

Plex Home Theater 1.9.0.2741 adds audio stream selection, resolves several bugs, and improves stability. This is not a security update.
https://www.plex.tv/media-server-downloads/#plex-app

Plex Media Server 1.25.2.5319 resolves several bugs. This is not a security update.
https://www.plex.tv/media-server-downloads/#plex-media-server

Game Updates

These are unlikely to be of interest to most people.

GameMaker Studio 2.3.7.606 improves reliability and performance, and resolves several bugs. This is not a security update.
https://www.yoyogames.com/en/gamemaker

Nintendo Switch 13.2.0 improves stability. This is not a security update.
https://en-americas-support.nintendo.com/app/answers/detail/a_id/22525/kw/system%20updates/p/989

PS5 21.02-04.50.00 improves performance. This is not a security update.
https://www.playstation.com/en-us/support/hardware/ps5/system-software/

Steam 2021.11.19 resolves several bugs, improves reliability and stability. This is a security update.

Office Updates

One or more of these are likely to be of interest to most people.

Audacity 3.1.2 improves stability. This is not a security update.
https://www.audacityteam.org/download/

Blender 3.0 is a major new version with dozens of new features, improvements in modeling, shadows, geometry and more. This is not a security update.
https://www.blender.org/download/

LibreOffice Fresh 7.2.4 is a security update.
https://www.libreoffice.org/

LibreOffice Still 7.1.8 is a security update.
https://www.libreoffice.org/

Notepad++ 8.1.9.3 resolves several bugs and improves diagnostics to troubleshoot a persistent crash bug. This is not a security update.
https://notepad-plus-plus.org/

Paint.net 4.3.4 resolves several bugs. This is not a security update.
https://www.getpaint.net/

PDF-XChange Editor 9.2.359.0 resolves several bugs. This is not a security update.
https://www.tracker-software.com/product/pdf-xchange-editor

Adobe Premiere Rush 2.0 is a security update.
https://helpx.adobe.com/security/products/premiere_rush/apsb21-101.html

Adobe Experience Manager 6.5.11 is a security update.
https://helpx.adobe.com/security/products/experience-manager/apsb21-103.html

Adobe Connect 11.4 is a security update.
https://helpx.adobe.com/security/products/connect/apsb21-112.html

Adobe Photoshop 22.5.4 and 23.1 are security updates.
https://helpx.adobe.com/security/products/photoshop/apsb21-113.html

Adobe Prelude 22.1.1 is a security update.
https://helpx.adobe.com/security/products/prelude/apsb21-114.html

Adobe After Effects 22.1.1 and 18.4.3 are security updates.
https://helpx.adobe.com/security/products/after_effects/apsb21-115.html

Adobe Dimension 3.4.4 is a security update.
https://helpx.adobe.com/security/products/dimension/apsb21-116.html

Adobe Premiere Pro 15.4.3 and 22.1.1 are security updates.
https://helpx.adobe.com/security/products/premiere_pro/apsb21-117.html

Adobe Media Encoder 15.4.3 and 22.1.1 are security updates.
https://helpx.adobe.com/security/products/media-encoder/apsb21-118.html

Adobe Lightroom 5.1 is a security update.
https://helpx.adobe.com/security/products/lightroom/apsb21-119.html

Adobe Audition 14.4.3 and 22.1.1 are security updates.
https://helpx.adobe.com/security/products/audition/apsb21-121.html

Security Software Updates

One or more of these is likely to be of interest to most people.

Tails 4.25 adds backups, external storage support, updates applications and resolves several bugs. This is a security update.
https://tails.boum.org/install/dvd-download/index.en.html

BelArc Advisor 11.1 doesn’t provide a changelog so should be treated as a security update.
https://www.belarc.com/products_belarc_advisor

Chainsaw 1.1.4 improves logging, error handling, and removes progress bar for reliability. This is not a security update.
https://github.com/countercept/chainsaw

Hashcat 6.2.5 improves improves hardware compatibility, performance, and resolves several bugs. This is a security update.
https://hashcat.net/hashcat/#downloadlatest

RogueKiller 15.1.4 resolves several bugs. This is not a security update.
https://www.adlice.com/download/roguekiller/

uBlock Origin 1.39.2 resolves several bugs. This is not a security update.
https://github.com/gorhill/uBlock/releases/latest

VT-CLI 0.10.0 adds support for managing collections. This is not a security update.
https://github.com/VirusTotal/vt-cli/releases/latest

Wireless Network Watcher 2.26 updates internal MAC address database and improves high-DPI support. This is not a security update.
https://www.nirsoft.net/utils/wireless_network_watcher.html

Capture Updates

These are unlikely to be of interest to most people.

SnagIt 2022.0.0 adds several new features including a universal file format, cross-platform markup, and cloud storage, improves performance, and resolves several bugs.
https://download.techsmith.com/snagit/releases/snagit.msi

VideoCacheView 3.08 adds compatibility with newer browser builds. This is not a security update.
https://www.nirsoft.net/utils/video_cache_view.html

Converter Updates

These are unlikely to be of interest to most people.

PDF Creator 4.4.1 resolves several bugs. This is not a security update.
https://www.pdfforge.org/pdfcreator

Utility Updates

These are unlikely to be of interest to most people.

1Password for Mac 7.9.2 improves compatibility and resolves several bugs. This is not a security update.
https://1password.com/downloads/mac/

7-Zip 21.06 adds memory controls, dictionary size improvements, hash validation support, and resolves several bugs. This is not a security update.
https://www.7-zip.org/

Agent Ransack 2022.3277 adds OCR, new themes, improves indexing, and resolves several bugs. This is not a security update.
https://www.mythicsoft.com/agentransack/download/

Bitcoin 22.0 removes defunct protocols, updates privacy and resolves several bugs. This is not a security update.
https://bitcoin.org/en/download

Carbonite 6.4.0 improves compatibility. This is not a security update.
https://account.carbonite.com/

Cygwin 3.3.3 resolves several bugs. This is not a security update.
https://cygwin.com/

DesktopOK 9.44 adds dark theme support, high-DPI improvements, and several bug fixes. This is not a security update.
https://www.softwareok.com/?seite=Freeware/DesktopOK

Etcher 1.7.1 resolves several bugs. This is not a security update.
https://www.balena.io/etcher/

Fido 1.27 adds support for Windows 10 v21H2. This is not a security update.
https://github.com/pbatard/Fido/releases

FileLocator Pro 2022.3277 adds OCR, new themes, improves indexing, and resolves several bugs. This is not a security update.
https://www.mythicsoft.com/filelocatorpro/download

Git SCM 2.34.1 resolves several bugs. This is not a security update.
https://git-scm.com/

GoodSync 11.9.7 resolves several bugs. This is not a security update.
https://www.goodsync.com/

grepWin 2.0.9 improves reliability and adds exact match support. This is not a security update.
https://github.com/stefankueng/grepWin/releases/latest

Homedale 2.01 improves MAC Address vendor detection and IE DFS dump. This is not a security update.
https://www.the-sz.com/products/homedale/

IsMyHdOK 3.44 improves accuracy. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/IsMyHdOK

NTLite 2.3.2.8519 resolves several bugs. This is not a security update.
https://www.ntlite.com/download/

PointerStick 5.61 improves high-DPI support and resolves several bugs. This is not a security update.
https://www.softwareok.com/?seite=Freeware/PointerStick

PowerToys 0.51.1 improves stability. This is not a security update.
https://github.com/microsoft/PowerToys/releases/latest

ReactOS 0.4.13.32 resolves over a hundred bugs, and improves stability, compatibility and reliability. This is a security update.
https://reactos.org/

SearchMyFiles 3.15 improves summary mode, zero-value filters, and search improvements. This is not a security update.
https://www.nirsoft.net/utils/search_my_files.html

Synergy 1.14.2 resolves over a dozen bugs, improves reliability, adds M1 support, and adds automatic restart on settings change. This is not a security update.
https://symless.com/synergy/

TraceRouteOK 2.66 adds dark theme support, high-DPI improvements, and several bug fixes. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/TraceRouteOK

USB Oblivion 1.17.0.0 resolves a key name bug and improves performance. This is not a security update.
http://www.cherubicsoft.com/en/projects/usboblivion

WakeMeOnLan 1.90 adds global and bulk WOL support and updates MAC addresses databases. This is not a security update.
https://www.nirsoft.net/utils/wake_on_lan.html

WhyNotWin11 2.4.3.1 improves stability, hardware detection, and compatibility improvements. This is not a security update.
https://github.com/rcmaehl/WhyNotWin11

WinScan2PDF 7.51 resolves several minor bugs. This is not a security update.
https://www.softwareok.com/?seite=Microsoft/WinScan2PDF

WizTree 4.07 improves MTP/PTP compatibility, reliability, and resolves several bugs. This is not a security update.
https://www.diskanalyzer.com/

ZoomText 2021 2021.2111.4.400 improves compatibility. This is not a security update.
https://support.freedomscientific.com/Downloads/ZoomText

ZoomText 2022 2022.2110.70.400 improves compatibility. This is not a security update.
https://support.freedomscientific.com/Downloads/ZoomText

Developer Updates

These are unlikely to be of interest to most people.

Docker Desktop 4.3.1 is a security update.
https://www.docker.com/products/docker-desktop

Node.js v14 14.18.2 updates libraries and resolves several bugs. This is not a security update.
https://nodejs.org/en/

Node.js v16 16.13.1 updates libraries and resolves several bugs. This is not a security update.
https://nodejs.org/en/

Node.js v17 17.2.0 updates libraries and resolves several bugs. This is not a security update.
https://nodejs.org/en/

Redemption 6.1.0.6054 adds MarkSaved and OverridePSTDisableGrow, and IMAP4 controls, and resolves several bugs. This is not a security update.
https://www.dimastr.com/redemption/

SQLite 3.37.0 improves STRICT, CHECK constraints, and CLI improvements. This is not a security update.
https://www.sqlite.org/download.html

Visual Studio Code 1.63 adds several features and improves compatibility. This is not a security update.
https://code.visualstudio.com/

Virtual Machine Updates

These are unlikely to be of interest to most people.

VirtualBox 6.1.30 resolves several bugs. This is not a security update.
https://www.virtualbox.org/wiki/Downloads

Web Package Updates

These are likely to be of interest only to web developers.

Coppermine Gallery 1.6.16 improves compatibility and resolves a couple bugs. This is not a security update.
https://coppermine-gallery.net/

Drupal 9.3.0 updates libraries and dependencies, improves compatibility, and resolves a couple bugs. This is not a security update.
https://drupal.org/download

HumHub 1.10.2 resolves several bugs. This is not a security update.
https://www.humhub.com/en/download

MailArchiva 8.4.1 is a security update.
https://mailarchiva.com/

Nextcloud Server 23.0.0 is a major update adding massing performance improvements, improved external integrations, Backup and more. This is not a security update.
https://nextcloud.com/

ownCloud Client 2.9.2.6206 resolves several bugs. This is not a security update.
https://owncloud.com/desktop-app/

phpList 3.6.6 is a security update.
https://www.phplist.org/

Piwigo 12.1.0 resolves several bugs. This is not a security update.
https://piwigo.org/

ScreenConnect 21.14.5791.8004 improves reliability and resolves several bugs. This is not a security update.
https://www.connectwise.com/software/control/download

WordPress 5.8.2 is a security update.
https://wordpress.org/

Autoptimize 2.9.3 improves multisite support and resolves several bugs. This is not a security update.

bbPress 2.6.9 resolves several bugs. This is not a security update.

Contact Form 7 5.5.3 improves Constant Contact integration, filters and form properties. This is not a security update.

Slider Revolution 6.5.11 resolves several bugs. This is not a security update.

Social Post Feed 4.1 updates libraries and resolves several bugs. This version will need to reconnect to any Facebook feeds you use. This is not a security update.

Theme My Login 7.1.4 resolves several bugs. This is not a security update.

W3 Total Cache 2.2.1 resolves several bugs. This is not a security update.

WP Mail SMTP 3.2.1 improves compatibility. This is not a security update.

WordPress Zero Spam 5.2.8 resolves several bugs. This is not a security update.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

Flash Begone!

Adobe Flash: You Will Not Be Missed

Flash is going to be going away in about a month. Adobe announced the end-of-life (EOL) for Flash about two and a half years ago. Microsoft will be removing the built-in Windows version in 40 days. Flash is currently built into chromium-based browsers (Chrome, Edge, Brave, Vivaldi and so on), and will no longer be included at all in a couple weeks, and the only other browser that has supported it (Firefox) will block it in late December. By mid-January no browser will support Flash and any website that relies on it will have major compatibility problems. Facebook game players have been terrified of this because it’s going to finally kill Farmville.

HTML5 is the replacement for Flash. Flash is closed-source and historically extremely insecure – directly responsible for over half of all malware infections. Flash was originally designed by Macromedia which was later bought by Adobe. Adobe’s entire system has always been designed around closed-source and limiting access to how their software works, which means that it doesn’t have the ability for outside code review or security analysis. HTML5, on the other hand, is open-source, designed by the same people that designed the Internet itself. It does have a digital rights management (DRM) stub which allows publishers to prevent data from being copied (like Netflix), but it’s nowhere near as closed as Flash has been.

Those few sites that lament the loss of Flash don’t understand the risks and troubles that we’ve all experienced as a direct result of this uniquely horrific technology. There are over 1,000 known vulnerabilities in Adobe Flash. At 24 years old, that’s an average of 42 vulnerabilities per year or 3.5 per month. At the time of publication, 652 of the vulnerabilities score a “perfect 10” on the CVS risk scale, and 894 vulnerabilities score 9.0 and above. Put simply, 90% of the known vulnerabilities in Adobe Flash are considered Critical and are capable of completely taking over the affected device.

If you don’t want to wait, you can eliminate Flash yourself using the Adobe Flash Removal Tool.

That’s all for now folks. Keep it clean out there. 😉

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

Do Not Reuse Passwords

Password security is a growing field and the old conventional wisdom of using a “strong” password and changing it frequently has lead to people using the same “strong” password on many different websites, resulting in their complete identity being hijacked when any one of those sites is compromised.

HaveIBeenPwned (HIBP) is a service that collects data dumps from when websites are hacked and uses the data to provide a service to alert users whenever their accounts are compromised. It’s like a central clearinghouse for account monitoring. Unfortunately, by the time accounts are listed in HIBP it is often years after the account has been hacked and the hackers that originally took the account information have had that entire period to make use of your account details. Many websites store their passwords in plain text, and many of the others that do use password hashing algorithms to store only a mathematical representation of the password and not the password itself neglect to use properly salted hashes, which means that those hashed passwords can often be compared with rainbow tables to effectively convert them to their plain text equivalent. Seeing the passwords that people – still today – continue to use is destroying my hope in humanity. For example, “123456” is used by almost 1% of business professionals for their online social interactions. Dead serious.

The trends on these exposed passwords show that there are very common patterns and weak password consideration is the rule of the day. Few people, and by few I mean I could probably count them on one hand, actually do passwords right. It’s time to take your own security seriously, because the evidence shows that many of those you do business with do not.

Here’s the Problem

Weak passwords you’ve used on service x (Yahoo, for example) will be dumped along with all the other passwords on that hacked service. Those same weak passwords will be tested on service y and service z. And everywhere else. This process is called “password stuffing.”

If you reuse even part of your passwords then you open yourself up to being targeted either randomly or by evil people you may already know. “Script kiddies” live and die by their ability to make an example out of people who they feel have done them harm. You could also become the victim of automated scanners that consume the usernames and passwords from these dumps then try them on every known system from Facebook to Gmail to email to banking services. The passwords will be munged in order to test similar or stylistically equivalent passwords. For example, of the LinkedIn hack, almost 2.5 million accounts (or about 1.5%) used some variant of the site name in their password. Those same accounts probably use some variation of the site name in most of their passwords. This can safely be assumed to be done everywhere, meaning that if you use “linkedin123456” for LinkedIn, there’s a good chance that your Facebook password is “facebook123456”.

So when over a million people used “123456” as their LinkedIn password, not only did it expose that as a very commonly used password, but it demonstrated that those million-plus email addresses tied to those weak passwords were used by people that didn’t take security seriously. If you use a weak password anywhere, chances are good that you use weak passwords elsewhere, if not everywhere. If something as quick and easy as changing a password isn’t done, then you also probably neglect your hardware and software. You’re using older and insecure programs. You’re exposing all of yourself with a single simple decision that you think will make your life easier.

It doesn’t. Reusing even part of a password only makes life easier for whoever attacks you. They can stay in their momma’s basement and spend all day throwing your account details at different sites until they get in. When they do, it doesn’t hurt them, it hurts you. Two or three hijacked accounts, or variations on your passwords from multiple dumps show how you think, and the style and scope of password complexity you use.

Again referring to the 2012 LinkedIn hack, there were over 26,000 variations of passwords that included “12” or “2012” in the password. From this we can imply that users will seed their passwords with the year they changed it. The same accounts are probably still using the same patterns with “2019” or “2020” today.

“Different” !== Strong

Usually these dumps are sold on the black market or used by the original hacker for a while before they’re inevitably released publicly. The data is out there so it’s necessary to use defensive passwords.

You can’t just change a number at the end of your password and possibly think that it’s going to make a difference in your security. The delay it might impose against an organized attacker is less than a single second. You can’t create a strong password by typing random characters on your keyboard. You just can’t. The predictive value of muscle memory, social and cognitive signals, and even keyboard bias result in a relatively small set of potential values for manually-generated passwords.

1337-sp34k offers no additional protection.

Using a strong password is no longer a suggestion. To be secure in the current world you must use a strong, unique, randomly-generated password for any and all sites and services. Failing to do so will result in that password being used as the seed to corrupt your digital life later on. Maybe not today, maybe not tomorrow, but soon, and for the rest of eternity.

The rules used to be pretty simple, but were still never observed:

  • DO NOT use a series of numbers and a word or two. (123badpassword)
  • DO NOT use a word or two and a series of numbers. (badpassword123)
  • DO NOT use a word with numbers breaking it up. (1bad2password3)
  • DO NOT use the site name or URL as any part of the password. (mylinkedinpassword)
  • DO NOT use keyboard sequences like “qwerty” or “123456”.
  • DO NOT use any word or name related to you or your life (pets, family, friends, musicians).
  • DO NOT use dates or other simple patterns.

Unfortunately, these rules are still ignored, and even if they were followed to a T, these rules are no longer sufficient for creating a passwords or passphrases manually. Today, any password you can remember is not a good password. It’s time you put the effort into proper password management.

Fortunately, the new rules are actually simpler:

But my browser remembers my passwords!

All modern browsers (Chrome, Firefox, Edge, Safari) have password management built-in. You can use that in order to generate strong passwords and, while short, they’ll be unique for each site. Unfortunately, since these passwords are stored in the browser they can be extracted by any malicious software that manages to make it onto the device or compromise your browser Sync account, where password managers generally use much stronger encryption.

Websites are still catching up to the reality of password managers

Long passwords, 300 characters or more, are not a problem for your password manager, but they’re probably a problem for the site. BofA limits your password to 20 characters. Yahoo limits your password to 128 characters. Facebook allows much longer passwords, but only requires 6 characters and character case isn’t treated as significant so entropy is significantly reduced, especially for shorter passwords.

Some websites and app logins don’t allow you to copy & paste in the password field which means that they often don’t play well with password managers. Others (like AT&T and Yahoo) refuse to allow certain characters in passwords, so randomly generated passwords have to be manually munged instead of allowing them to be truly random.

Nevertheless, failing to use a password manager means that you’re not using random passwords at all, and are likely reusing passwords to your own peril.

The solution is to get a password manager now and immediately start working to migrate your accounts to it. Almost every password manager today offers password analysis to warn you of weak, reused, and known compromised passwords so you can prioritize changing the passwords for those accounts.

What’s your favorite password manager?

Conventional Wisdom on Solid-State Drives

Every time I post about solid-state drive’s (SSDs) there’s always a nay-sayer warning about their “short life” and limited usability. It’s a huge misunderstanding of SSD wear-leveling and endurance to assume that a thousand program/erase (PE) cycles somehow implies that the drive is of less persistent value than a conventional drive. This is wildly inaccurate.

The Old Way

Conventional drives store their information on revolving platters and use magnetic arms to read and assign magnetism to specific locations on each platter. The arms are fragile. The movement of the platters is subject to environmental forces. A drop of only a fraction of an inch can toast your conventional drive. An hour in the car in front of Starbucks or the moisture that makes it through your laptop bag when walking between classes in the rain can kill it. Some are even faulty by design (planned obsolescence) or even if they’re not, can suffer from a random failure at any point in their life from dust or exposure to magnetism or even sunlight. This is the fatal flaw with moving parts. In any entropic system stuff will inevitably go wrong. The endurance you hope for is that gamble that it either won’t be you, or at least it won’t be now.

There have been dozens of studies of both conventional and solid-state drives. Most studies on conventional drives essentially conclude that some are better than others, but that they will all fail randomly at some point. Unfortunately, when it comes to conventional drives there’s really no guaranteed way to know how long your specific drive is going to last.

Even with the best SMART data you can never really plan for when the conventional drive is going to fail. You can look at the brand or model and estimate in months or years, but actual operational time will vary even between devices from the same factory made at the same time in the same room. You just can’t plan for it.

New Tricks

Solid-state drives, however, do not suffer from the randomness of not being able to know for sure if the drive will even survive it’s first year. Due to their lack of vulnerable moving parts, vastly improved tolerances and predictable wear-leveling values, they have a calculable life that can not only be guessed, but very effectively planned and measured. You can pro-actively track with the drive’s own self-diagnostics in order to identify, if not the very hour, at least the week that your SSD will no longer be able to be written to (the data will usually still be readable).

SSDs provide several measures of their PE values to determine drive longevity. TBW and DWPD are basically different faces of the same number of writes before the drive will begin to fail. This can be measured in hours or bytes, but the meaning is consistent between presentations: if each block can be written 1100 times (which is a pretty close approximation based on current market values) then a 250GB drive could have 275TB written to it during its reliable life. A 960GB drive would be able to have just over 1PB (petabyte) written during its reliable life. If you measure the actual writes to your current drive over a couple months (with PerfMon or SMART) you can see exactly how long it would take you to consume that amount. The drive won’t exactly crash and burn on that day, it will just fall out of the vendor-tested effectiveness in a “how many licks does it take to get to the center of a Tootsie Pop” way. Many SSDs will safely write twice as much data or more. You know, as long as you don’t bite into it. 😉

SMART

Every drive for the last 20+ years has supported some level of self diagnostics (SMART), but the detail provided by SSDs is fantastic. SMART provides potentially hundreds of flags to identify, track, and observe various drive usage and diagnostic information. SSDs provide self-diagnostics through SMART that enables you to see their actual writes, reads, and life. Get an SSD and use it a couple months, and you can effectively estimate its life for your actual usage.

For example, my current C: is a 240GB Kingston SSD. As of the writing of this article the drive has been in use for 937 days (2.57 years), and has only been restarted 72 times (roughly twice per month – usually for software updates or installation). It’s written 18,925 GB (<19 TB) in that time, which is about 20.2 GB/day. With the magic 1100 PE number we can safely assume it’ll be able to write about 264 TB in its life. This means that this drive will likely survive another 33 years at my current usage. Give or take.

Now it should be noted that I’m not the typical person, and I do tune the crap out of my hardware (and the hardware of my clients) to ensure we get both the best experience and the best value out of our hardware. I’m not a gamer, but I run more varied applications and services than anyone I know, keeping a lot in RAM and minimizing page file usage to prevent unnecessary writes. This is to say that the typical person with a stock install may only get a “mere” ten to fifteen years out of similar SSD – for a computer where most of the rest of the hardware will be unsupported in 10 years. Task-based users (email + web + Word) could get centuries out of it if tuned properly. Hardcore gamers may only get a couple years, but they will be fantastic years.

I love the performance of my SSD, but believe me when I say I hope I am not still using this drive as my C: drive in 30 years. New developments are made every year and I plan to offload this one into one of my workhorses when I upgrade my primary rig. 🙂

True Wisdom

Should everyone use an SSD as their operating system drive? Yes. Should it be used for everything? No. You wouldn’t haul manure in a Porsche 911, would you?

I use SSDs in all my computers, but for some tasks I use conventional drives as well. I even use a few drives I know are defective but that have great caching capabilities. For example, I do a lot of video transcoding – converting and resampling video to improve quality and performance. This can write as much as 2 terabytes per day on one of my machines. That would kill my Kingston SSD in just over 4 months, so for these I use cheap conventional drives that are disposed of when they inevitably fail. The SSD runs the apps, but the conventional drive acts as a read/write canvas for transcoding. It works very well. But why don’t I just use an SSD anyway – they’re faster, right? Because the performance for video transcoding with FFMPEG is capped at the speed of the CPU anyway, so it’s never going to be bottlenecking at a disk read or write operation on a conventional drive, making use of an SSD a waste of valuable resources.

The choice is yours, of course, but don’t base your decision on whether to buy a solid-state drive on uneducated FUD.

Regards,

Shawn K. Hall
https://SaferPC.info/
https://12PointDesign.com/

New Year, New Fears: Meltdown and Spectre

Happy New Year!

By now you’ve heard about Meltdown and Spectre, the two new CPU vulnerabilities that are getting 24/7 airtime on every news channel.

This is going to really hurt Intel, as it essentially means that a 2 GHz processor is going to effectively run at 1.4 GHz after it’s patched. A 4 GHz processor is going to effectively run at 2.8 GHz. That’s the kind of performance hit that hard-core gamers and industry professionals are waking up to today, and will encourage many to consider alternative CPUs in the future. Unfortunately, while the one issue (Meltdown) only applies to Intel CPUs the other one (Spectre) affects almost every CPU that has been tested.

Meltdown and Spectre are two separate design flaws in the CPUs that mismanage how access to memory handles are controlled. Older hardware and operating systems will never be patched to address these vulnerabilities, and the patches that are currently being pushed for the Intel (Meltdown) flaw have a very high failure rate (as much as 20% for some hardware) often resulting in unbootable devices. My advice is to wait a few days for other people to be the guinea pigs, then install the updates after you get the all clear.

Neither of these affects only Windows. The vulnerabilities are hardware-based, but the current workarounds for them are being pushed into the operating systems to prevent them from being abused.

Meltdown affects every Intel CPU available today, which means that while many Windows computers are affected, every supported Mac is impacted (they’re all using Intel CPUs), and phones and other devices that use Intel chips are vulnerable as well.

Spectre affects just about everything. If your vendor isn’t supporting the device anymore, it will never be patched and the device can never be secured. Every computer hosting every website is affected. Every server. Every phone, tablet, desktop and laptop in the world is affected by at least one of these vulnerabilities. It seems that the only devices immune are certain security devices (dongles) or devices with very limited capabilities. If it can run software, it’s vulnerable.

If you’re a stock market enthusiast this is a good time to invest in mobile hardware vendors – wait a week or so for people to start bailing out in fear and the price to drop. Then buy their ignorance and in a year you’ll be thanking me. There may not be an immediate return, but as chips are released in the next 8-18 months that resolve these problems, security-minded companies and governments will be buying in bulk to replace every single device they currently employ. Talk about a huge surge in purchases later this year. 🙂

I don’t put a lot of stock in what anyone from the government says, so I will defer to the Intel VP who says that the “unfixable” Spectre flaw can be resolved with a firmware update on most supported devices. I assume the same is true for other vendor chips affected by Spectre. Unfortunately, this means it’s still going to be a long-tail fix, since firmware updates can take months to be released for each supported chip and years to be fully addressed, and unsupported hardware will never be fixed. The Intel SA-00086 vulnerability (initially reported in February 2017), for example, which impacts the last 4 full generations of Intel CPUs still has not received patches for most currently supported hardware. Likewise, it’s quite unlikely that Spectre will be fully addressed on existing supported hardware within the next couple years.

Replacing your device isn’t a solution, either, since hardware that isn’t vulnerable simply doesn’t exist yet. We need to hope that operating system vendors will correctly and fully address these problems on current hardware in the very near future.

Now for the good news

If you’re maintaining your devices – installing operating system, application and driver updates, and you’re removing outdated and unused software, and you’re not installing untrusted third party applications that are either unmaintainable or unsecureable, and you have not been installing “bad” programs (warez, fake, or malicious) – then your computer is really at no greater risk today than it was last week. Both of these vulnerabilities require an evil application to be run on your device to be exploited. They are not remote exploits that automatically bypass the other security precautions you may have in place (unlike SA-00086). Remove everything you don’t want or need on your device, don’t install untrusted apps, don’t ever click “yes” in a popup without reading it and understanding the implications, and you’ll probably be OK. Really.

For anyone else that’s not already using my service: If you don’t want to do this all by yourself – let me.