Firefox Security Hole Is Why You Need An Adblocker And An Update

Windows:

  • When I clicked “Help” then “About Firefox” it immediately downloaded the patch.  
  • Click on the “Restart Firefox To Update Button”

Linux (Debian)

Assuming you have “real” Firefox installed and the sources in place.

  • Open Terminal as Root.
  • Smile because you have Root.
  • apt-get update
  • apt-get upgrade
  • Restart Firefox when you click on the button that appears.

Other Linux Distros will vary, of course.

Mac apparently does not have the problem.

What happened?  Hackers.  Simply put, a Hacker exploited a hole in Firefox so that advertisements could push some code onto your machine to take it over.

Now, this business about ad blockers.

I run one and I use it very aggressively. It is for this reason.  It is also that I truly hate being pandered to and watched.

The latest trend is to watch what you are doing via “tags”.  A 1 pixel “dot” of a picture will be pushed to your browser as an anchor for them to watch what you are doing.

The best thing for you to do is to run an ad blocker.  You tell it what to block, and yes, it gets very technical because you have to take responsibility to block these things.  For the most part, an ad blocker with (free) subscriptions will block most, but never all, of these nasties.

When you run an ad blocker you will also notice that your browser runs much faster since it isn’t trying to paint all those ads for all those products that you will never use.

Lets be honest, have you ever actually clicked on an ad intentionally?

Me neither.

Heck, I don’t even see youtube commercials because I run an ad blocker.

The easier one to use is Ad Block Plus.  It is controversial because they allow certain advertisers to pay *them* to be allowed past the blocker.  I would recommend this for basic users because unless you want to learn how to use it, it’s pretty simple.

The one I am using is called uBlock.  I’m still learning how to use it.  It removes the ads, but I haven’t figured out how to make it remove the blank space the ad created.

It’s up to you.  Ads and Hackers, or a better browsing experience.  I know what I chose.

Now, if you will excuse me, I have a browser to restart.

Another Day, Another Adobe Flash Exploit

Flash used to be what I would call “Update of the Day Club”.  Start your computer and get into doing what you need, and surprise of surprises, there would be an update window popping up for Flash.

We seem to be back to that.

It’s a nuisance because with at least Firefox, it forces you to close your browser and go through the nonsense necessary to restart it.  Since Firefox isn’t exactly 100% accurate in reopening pages and tabs, I hold my breath each time.

In this case, there’s no reason to trash Firefox.  There was an exploit found with “Shockwave Flash” as it shows up in the addons page and it tells you it wants to be updated.

Except.

There is no update as of this writing.

So? What do you do?  Tread lightly, my friend.  What you need to do is put yourself through a bit of annoyance or uninstall the blighted software completely.

Since the annoyance is less of a problem than uninstalling Flash at this time, I’ll show you how to do that.

What I am doing is to tell the browser to ask me to run it.  I was going to uninstall it completely.  Youtube does not use Flash as a default to play videos any longer, favoring the newer HTML5.  Facebook does use Flash and at this point it does not apparently use HTML5.

Here is how to go in and tell Flash to run when you want it.  It will leave an ugly placeholder in Facebook with the a grey Lego brick or the international symbol for no, and some warning messages, but you can always turn it back on to watch that particular video of a dog doing something cute if you really want to.

In Firefox:

In the address bar enter:   about:addons and hit enter to load the page.

On your Addons page:

  • Find Shockwave Flash
  • Click the button that most likely says “Always Activate” and select “Ask to Activate
  • click the link to “Check to see if your plugins are up to date” to open another tab.

On your “Check Your Plugins” Page

  • Click the big red button that says “Update Now” under “Potentially Vulnerable Plugins” and follow the prompts to update your Flash.
  • This space intentionally left blank.
  • Flash will update through multiple steps that are documented on Flash’s site.  
  • They include downloading a program.  
  • Make certain that you clear the box that asks if you want to download any “Optional Offer” like McAfee or any other “helpful” programs since they are not helpful and will simply clutter up your computer or it could even lock it up.
  • Flash’s install will require you to close your Firefox, so save your work.
  • Note:  As Of This Writing, there is no update to Flash that will fix this problem.  That is why I told you to set Flash to “Ask To Activate”.
  • Flash will not be updated on Android, Apple’s IOS, or Linux.
  • Flash will eventually be updated on Windows 7 or newer, or Mac OSX… just not as of this writing.

Youtube Prefers HTML5 Video to Flash – But What About All That Old Stuff?

Flash is one of those necessary evils.  It was like Java, reflexively installed onto computers that weren’t really quite up to the task of running it. Just checked, nope, I don’t have Java – and you should not either.

The computer would bog down, act cranky, and even crash when Flash was running.  Flash also has persistent cookies that you had to remember to delete.  Some people would have those cookies for years.  Security is a bear.

But there is one more nail is in Flash Player’s coffin.  Youtube is now preferring HTML5 over Flash when you watch videos there.

Why is that important?

More and more Flash had been the target of people wanting to hijack passwords, insert viruses, and track your movements with those persistent cookies.  Adobe had put more and more patches into it and it became a joke.  Start the computer, patch Flash, restart the computer and do your work – every single day. 

Worse, some people that I supported would simply tell the update check to go away and never come back.

You are getting closer to the day you can do that for good. Many of us already have.

My Linux computer, currently Xubuntu, is not even supported on current Flash Player, and I did an uninstall of it a couple weeks back.  I didn’t see the value of keeping an old piece of software on something that was running well without it and I almost never used.

My windows computer will get the same treatment.

About the only thing I ever do with Flash is to watch videos on Youtube.  The few games that I have kept over the years will get deleted.

That’s about the only problem that I see with this.  Videos can be streamed using “native tools” but the content that was created in Flash will simply go away.  Quite a lot has been created in Flash over the years, even a few Broadcast TV Programs, and many commercials as well.

After all, when was the last time you played a video tape?  Beta?  VHS?  Vinyl Records?

That is the kind of problem that Librarians have.  Content on a platform that is unsupported.  Music on Cylinder Beeswax Records from the Edison era.  78 RPM records.  Heck, I even have a few 45s floating around here.  Silly looking 7 inch donuts.

For most of us, it’s simply easier to find the track elsewhere and save it on something new.  But for librarians, especially archival libraries, they have to worry about that sort of thing every day.

Anyone still have and use a zip disc?  Nope?  Didn’t think so!

So the net result to you is that if you are running one of the four major browsers in one of the top four major operating systems on the desktop/laptop you’re fine.  Just make sure your browser is up to date.  Firefox, Internet Explorer, Chrome, and Opera all work with HTML5.

See, that’s easy!

The iPhone and Android based phones will typically use the Youtube client or the browser will take care of it.

One aside though, with Android, it’s usually recommended that you do not use the base browser and go out and grab either Firefox or Chrome.  The reason is that if you are on an older version of Android, Google is not going to support the old “Browser” browser.

So it’s just safer that way.  Listen to big brother even if it is a bother.

Ok?

New Firefox and Other Browser Update Weirdness

I’m settling in to get some things done and notice a blurb.

There’s going to be a rollout of the next Firefox over the next few weeks.  I pay close attention to that because I use Firefox extensively.  I’d be lost without it. 

I’m so tightly trained to use Firefox that I have to step back and actually “think” how to use any other browser.  Since I use Windows 8.1, Windows 7, Mac OSX Mavericks, and Debian Linux on a daily basis as well as Android and an occasional toe dipped into Apple’s iOS, I have to remain as flexible as possible and Firefox is on all of those computers. 

Except the iPhone but I hardly ever use them.

I will eventually install Firefox on the Windows machines when it tells me that it is available.  I’m not in a rush.  The last time they changed the way it looks, the User Interface or UI, it borked it for me.  I ended up installing things to make it look the way it did before I updated the browser while growling at Firefox in general.  Keystrokes and mouse clicks and all that moved.  They removed the status bar. The bookmark strip got lost, or rather hid, and that stores some of your bookmarks.  They removed the title bar.

Why?  Never heard a reason, but I installed Classic Theme Restorer and it brought it all back.  Immediately after that I installed Adblock Edge to get rid of the blasted adverts and other nasties that hitch a ride onto your computer as a result.  More Privacy means for a faster experience as well as fewer viruses and spyware pushed onto your local computer.  Nobody actually “Likes” ads anyway, we accept their presence and usually are annoyed or distracted by them, but “Like”?  I doubt it.

Rule Number One of Software User Experience (UX) is if you change the way something looks, you will break the way people work.  I learned that back in the days of the Mainframe and College. 

Rule Number Two of Software User Experience is that if you do change it there will be unintended consequences.

In My Case:

I have a computer that has what they call a “Clickpad“.  It’s also running Debian Linux.  I know Linux in general fairly well, but Debian Linux doesn’t manage Clickpads well.  Clickpads are those weird trackpads that are flush with the case.  You click on the pad instead of having normal buttons like every other Synaptic trackpad. 

I do know that is fixed in the next version of Debian, and I do know how to fix it now, but it is an annoyance that I have to deal with.  It basically forgets that it has a physical button in Debian Stable/Wheezy, and you’re stuck with whatever you touch on the trackpad.  I only get a Right Click when I tap.  I have since configured a two fingered tap to be a Left Click.

What that all did change did is to break the way Firefox works.  You see, on that particular computer, I can’t Right Click.  I can’t get the pop up context menu.  They changed the UI right away from it. 

Since that machine is Debian Linux, I have to wait for the next version anyway.  It isn’t even using Firefox, but something rebranded as “IceWeasel“.  To put it short, and sarcastic, Debian had a spat with Firefox over the branding.  Since Firefox/Mozilla doesn’t want anything proprietary at all on their default install, someone in the Debian Project grabbed the source code, recompiled it, created the graphics, and renamed everything to IceWeasel.  It works like Firefox but is Older.  About a version back. 

If you’re running Stable, or Wheezy, you could be quite a few versions back.  Jessie has a more current Firefox, but it also has a lot more annoying bugs in it because it is “Testing”.

But Windows?  Yeah, you’ll get it soon.  Just remember Classic Theme Restorer and Adblock Edge, and you’ll be fine.

As for the Mac?  When it is available, you’ll get a blip on the bottom of the screen telling you you’re ready for an upgrade.  You can also go back to the old theme if you want, but I do recommend Adblock Edge as well.

Why the harping on the ads?  It’s a much faster browsing experience when you surf a page without the ads.  No blinky pictures, crawling things, or text ads.  If you don’t download them, you use less data.  Things pop faster.

Trust me on that one.  You can always turn it off later.

Thanks, Apple, But I Think I’ll Pass on Yosemite

I have computers on Windows, Mac OSX, and Linux.  Various levels and flavors of all of the above actually.

There’s always the question as to when or whether to upgrade them.

Linux is pretty simple – when your distribution changes, give it a week or so and listen to the chatter.  If the chatter is clear, go for it.  I’ve never had a problem here.

Windows.  I have a Windows 7 machine that won’t get upgraded because it’s an old Core 2 Duo machine.  It will either die before Windows 7 does or it will get given away.  Windows 8 became Windows 8.1 as soon as it was offered to me.  Windows 8 was an abortion, Windows 8.1 is manageable.  Just add Classic Shell and it cleaned up almost all of that Modern/Metro hideousness and pushed it aside.  Classic Shell made that ugly block land go away and replaced it with all the desktop land goodness that I need to get things done.  It’s still there, lurking under the hood, but I couldn’t tell you the last time I had to use one of those ugly blocky programs that Microsoft mistakenly thinks I need to slice, dice, and make julienne fries.  Other than network access which the Modern/Metro interface gets in the way massively and then drops you back to a desktop app to actually get the job done to disable and enable things.

I don’t.  ‘Nuff said about that.

Then there’s the Mac.  I always liked the sleekness and the design of them.  Beautiful hardware, a well thought out interface.  When I need to use my Mac, it is almost always a pleasure.  I got the thing, installed Snow Leopard, and it purred.  When the Mavericks upgrade was offered, it was free so why not?  I noticed no real problems there, and since I am a lightweight user of my Mac it’s fine.

I’ve heard reports that Mavericks slowed memory access from the prior version, Lion, but like I said: I’m a lightweight user so I don’t notice.

They put out a new operating system, Yosemite.  Since I knew about the memory speed issue, I thought I’d wait.  Let the experts go after it.

I’m glad I did because there are some privacy issues that made me uncomfortable with things.

Everyone likes having search functions on their computers and generally don’t think twice about how things are done.  What happens is that that information you are looking for is sent back to the program to check its indexes and report back to you when it finds what it thinks is the right answer.

That was all well and good back in the good old days when it was enough just to search this current computer.  Some smart people decided that they’d go out and do a search on the internet to give back more content.   It’s a built in function on the desktop called Spotlight that phones home to Apple and does that search. 

Fair enough if you’re actually doing an internet search.  But why do you need that search to go back to Apple if you’re just looking for a file on “this” computer?  If you are searching for movie information or maps, it’s going to send back your current location, as well as the current device you are on, and anything else that it thinks is pertinent such as language settings and what apps you have used.

To be fair to Apple, you can turn this off, but I have done enough support to know that unless someone turns that sort of thing off for you it won’t get done. 

The flip side to that is that if you have turned it off, location services are one of those things that get rather naggy to have turned off.  Your searches get a helpful prompt asking you to turn on location services and eventually you wear down and just leave them on.

Checking my Android phone, location services is turned on there, and we know that all that sort of thing goes on there with Google.  If you want a smartphone these days, you are either going to have Apple or Google put their hand in your pocket and watch over every move you make that they believe they need to, it’s part of the game.

The idea of having big brother was scary enough when I read 1984, but the reality is that we all now have that big brother in our own pocket and don’t think too much about it.

Nothing to see here, keep moving on.

All this was reported in the Washington Post’s technology blog a while back, and apparently Apple has been taking heat about their decisions to make these changes. 

There is a website called fix-macosx.com that promises to give you information how to take back some privacy and turn off some of Apple’s data collection.

This all is a change of heart since the old days where the Mac was more privacy friendly.  Now, they’re going all in and sucking down all this info while you happily go along with it.  Since Apple is notoriously tight lipped about what they do internally, I suspect that it will be a long time before we find out just exactly what they’re doing with all that data.

No thanks, I’ll pass.

Security? Poodles? Sandworms? Here we go again.

If you have any passing interest in computer security, you have noticed a few announcements go by.

If you don’t, you may think it is overwhelming.

Yes, and Yes.

If you are worried, there’s a simple solution.  No matter what the computer, no matter what the operating system – make sure you are up to date.

Most home users are set up “from the factory” to automatically get updates.  This is true on Windows and on Mac OSX.  My Linux computers pop up a friendly sunburst to say it’s got updates too.

In both cases this will solve these two problems.

Poodle – Make sure your browser is up to date.  Windows update will fix this.  It is a low level problem that is more of a headache for systems administrators. So it’s not a major headache for most people.

The long description that 99 percent of us can skip is that it’s a bug that Google has found in the Secure Sockets Layer (SSL) version 3 that is seriously out of date.  It shouldn’t be used at this point anyway, but some folks haven’t updated that.

Sandworm – It’s a worm that goes after Powerpoint files.  Since Windows machines are set up to ask you if you want to open the file, don’t.  If your computer asks you to open anything with a “.INF” extension, don’t.  That is how the worm will propagate.

How to fix it?  Home users, make sure you go through your Windows Update.  It’s a windows problem.  But anyone else should be running the most up to date version of their operating systems that they can.  If their operating system is no longer supported, it’s best that you upgrade as best you can.  No more XP for you.

While you are at it, make sure your virus protection is up to date and you may want to just force a run of a full scan.  You never know what is running around on your computers these days and it is just good practice to do this once in a while.

Shellshock – A BASH bug that effects Linux and Mac OSX … and everyone on the web

Yeah, scaremongering isn’t the best.  Luckily for those of us who run Linux, the fix is easy.

It also effects some Mac systems, although you will need to test and get your own upgrades.

It is possible that it effects Android systems as well.  I did the test on my tablet running CyanogenMod this morning and it was safe.  Your Mileage May Vary.

How this effects Windows is straightforward, it’s another one of those low level things in a web server that can bite us later and since Linux powers many websites, you are effected indirectly.  Think of what the Heartbleed problem was and how you went in and changed all your passwords to protect yourself.  Good idea to start changing them again!

The bug is called “Shellshock”.  The specifics is that it allows a ne’er do well to hack into an unpatched Linux server and gain full control via something called the BASH shell.  That is a bad thing because with control over bash, you can gain full control of the entire computer.

There is a test and full explanation of all the geekery under the hood here at this link at www.ArsTechnica.com if you care to dig deeper.  Basically, just go in and do a full update of your machine and make sure you see bash updated. 

The test is this line in terminal.

 env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x’
 this is a test

Since Mac OSX is based on something called BSD and bash comes with it in their terminal.  If you have an older Mac that is acting as a server, look into a patch.

I personally did the fix last night on my Debian system while I was half asleep.  Really trivial to fix.

In a root terminal –

apt-get update
apt-get upgrade

It went out and updated my list of available updates, then upgraded those that needed it.  The package “bash” was included.

CentOS came up this morning with a bubble telling me to install updates.   It worked.  No problem.

I tried it out on my RaspberryPi machine and yes, that was affected.  The patch worked, and the picture is below. 

Here’s the thing, it may effect Android tablets and phones depending on whether bash is installed.  It’s a very basic and well known tool, so you will need to make sure you can patch the tablets. 

However, it’s highly unlikely that some average dude walking down the street with a year old Android phone with an unpatched system will have a problem.  Someone would have to know you’re there, get into your machine, and do the hack to gain control.  You aren’t the person they would be looking for, it’s that big web server sitting somewhere like a store or a bank that they’re going to hack.

Just accept the updates if you have manual control of whatever computer you are using, phones and tablets included.

If you are “going into” your machine, set your update preferences to allow security updates automatically while you’re at it since that makes it easier to administer the machines.