Security issues with Flash Player and Firefox

Security issues with Flash Player and Firefox

A new and critical vulnerability puts Adobe Flash Player users at immediate risk.

And, Microsoft makes OneDrive less attractive for free users, and a new report shows how Firefox extensions might be too unsecure to use.

Warning: Critical out-of-cycle patch from Adobe

Adobe typically releases its Flash Player and Reader updates on Microsoft’s standard Patch Tuesday schedule. So when Adobe releases an update outside of that schedule, it’s typically one to install quickly.

A case in point: This past Thursday, April 7, Adobe released Flash Player Version 21.0.0.213 (more info) to block a critical threat that’s already in use. The update is for all versions of Windows, and for OS X, Linux, and ChromeOS editions of Flash.

As of this writing (Monday morning), Flash had been patched in Firefox but not in Edge, on my Win10 machines. I assume the Edge fix will show up tomorrow in a Win10 cumulative update. (The easiest way to check the version of Flash installed is to open Adobe’s about Flash Player page.)

Note that the new version of Flash fixes 24 vulnerabilities that would presumably have been addressed in the regular Patch Tuesday release. (April’s is due out today.) Look for the usual Patch Watch roundup in this Thursday’s Windows Secrets newsletter.

Some annoying news from MS about OneDrive

If you use OneDrive, you might have recently received an email from Microsoft about upcoming changes to its cloud service. If you didn’t get the memo, here’s the upshot.

In an effort to boost use of OneDrive, Microsoft had been relatively generous with the amount of storage offered to free users. Perhaps taking a page from the airlines’ marketing playbook, the company might have thought that offering 15GB of free storage would attract new users — until the other cloud-storage services followed suit.

But apparently neither of those things happened. So starting July 13, Microsoft will limit free OneDrive accounts to 5GB. But it gets worse: If you currently have 15GB of storage, your account will drop to 5GB. Moreover, Microsoft is dropping the 15GB camera-roll bonus for free accounts. (As recently as this past January, you could “claim” 15GB of free storage.)

Microsoft’s FAQ on this change is a bit convoluted. If you have more than 5GB of data, you can either pay for more storage or purchase an Office 365 account. If you choose neither, you have 90 days after notification to continue using your cloud-based files normally. After that, you’re account will be set to read-only for nine months. Eventually, you’ll lose access to your files.

Microsoft has also dropped its 100GB and 200GB paid plans. It now offers a 50GB plan for U.S. $1.99 per month. That makes OneDrive useless for those of us who archive large amounts of data. I, for example, currently have over 600GB of photos that I keep both locally and in the cloud. Even OneDrive for Business (more info) is limited to 1TB of storage per user, at a cost of $5.00 per month.

If you’re looking for the best deal for online storage, Google Drive still offers a free, 15GB account. Or you can purchase an unlimited, business account for $10 per month, per user (more info). However, that only applies to organizations with five or more users.

I find Google Drive somewhat cumbersome. By default, files you create with Google apps are stored online but not locally. But other files, such as Office documents are stored both locally and in the cloud.

Dropbox (site) is still the premium service for cloud storage — but it’s also the most flexible. A free account gets you only 2GB of storage; Dropbox Pro provides 1TB of storage, but at a pricey $9.99 per month. Still, I prefer Dropbox because it lets me easily control which folders are stored on my hard drive. That’s important with phones, tablets, and older notebooks with limited drive space.

Box, another popular online-storage service, offers 10GB of free storage, but its personal paid plan is $10 per month for only 100GB of space.

iDrive (site) has also been mentioned in Windows Secrets. But this service is designed primarily as an automated data-backup system.

Why you might want to dump your Firefox add-ons

Browsers are our window to the Internet, which is why they’re a favorite target for hackers. If you need proof, the major browsers are regularly cracked at the annual Pwn2Own hackers’ contest (more info).

Security probably accounts for Microsoft’s slow inclusion of add-ons for its new Edge browser. Edge launched with no support for browser extensions, and a preview of Edge add-ons is just now showing up in Windows 10 Insider Preview 14316.

On the other hand, Firefox has had a long and extensive history of add-on support. There are hundreds of downloadable apps that make Firefox more like an operating system than a basic browser. And that flexibility could be Firefox’s undoing, according to a report released (PDF) by a group of Northeastern University researchers.

They note that Firefox add-ons have deep access to the browser’s code — and that in turn gives access to key Windows components. In other words, the add-ons are not isolated from each other or from the Firefox code. Their conclusion: It would take about 10 minutes to create a malicious extension that exploits vulnerabilities in other add-ons.

For that layman’s description of how the exploit works, I recommend reading Ars Technica’s April 5 article. I’d not be surprised to see a major security update to Firefox in the not too distant future.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum. To rate this or other stories, click over to our polls page.

 

New hardware + Win10 upgrade = license trouble?

A reader wants to upgrade to Win10 and then install a new solid-state drive (SSD). He’s wondering if this two-step process will invalidate his original “digital entitlement” to the free upgrade.

Plus: What software is safe to remove from Windows’ startup queue, and is it better to buy a new PC off the shelf, to use custom-specs, or to build it from scratch?

Will a new SSD mess up Win10 upgrade licensing?

Reader Jonathon English is getting ready to migrate to Win10. But he also wants to replace his system’s main hard drive with a new SSD.

He’s wondering how Microsoft’s Win10 upgrade licensing (aka digital entitlement) will react.

The answer applies not just to Win10 upgrades, but to almost any kind of Windows-licensing failure.

• “Fred, after reading, ‘How to clean-install a Windows 10 upgrade’ (Sept. 10, 2015, Top Story), I have a hardware-related question.

  “I’ve not yet upgraded to Windows 10 (I’m still on Win8.1), but I have recently purchased a new SSD to replace my current Windows boot drive. I’d prefer to do a clean install of Win10 on the new drive.

  “My plan is to upgrade my current system to the new OS via the update process; then activate the new installation, create Win10 install media, switch out the drive for the new SSD, and finally clean-install Win10 on the new drive.

  “Do you think this will work? I am concerned that the change in drive hardware will cause the clean install to fail activation.”

Because you’re handling the changes in separate and distinct steps, rather than trying to do everything at once, I don’t think you’ll have any serious licensing issues.

Microsoft has never publicly said exactly what will (or won’t) trigger re-activation. But in my experience, the triggers aren’t absolute — there’s usually some leeway.

For example, I’ve had some hard drive changes not trigger a reactivation request. But then others have. My best guess: Microsoft factors in not only specific hardware changes, but how frequently a licensed setup has experienced such changes.

In any case, as long as you’re not doing anything illegal or dodgy, there’s almost always a way to get licensing issues resolved.

The following steps can help tilt the odds in your favor:

As with any major system change, start by making a complete system backup so you can, if needed, return your system to a known-good, working — and activated — condition. A full system-image backup is always best.

Next, have readily at hand your current product key (Win8’s, in Jonathon’s case) before you perform the OS upgrade. Also note the new Win10 key after the upgrade and initial activation. If you don’t have the Win8 key written down, you can recover it with any of the available free key-finder tools. Examples include NirSoft’s Produkey (site) or the hideously named Magical Jelly Bean Keyfinder (site). Note: If a NirSoft download gets flagged as potential malware, you can ignore the warning; NirSoft’s products are legitimate.

Should installing the SSD trigger a new Win10-activation request, you can manually re-enter your new Win10 key. It should be accepted.

If you roll your system back to the older OS and you get a reactivation request, re-enter your original product key — it should be accepted.

When an online reactivation fails, you can usually activate the OS by telephone. From most locations, it’s typically a toll-free process that takes about five minutes.

I can’t promise activate-by-phone will work perfectly in every case, but it’s always worked for me in the half-dozen times I’ve had to use it. As long as your Windows setup is truly legit and above-board (e.g., you’re activating Windows on a single PC with a product key you bought and paid for, or that came with that PC), the activate-by-phone process should work.

Start by finding the correct activate-by-phone number for your location. One easy method is to right-click the Windows Start flag and enter the command slui.exe 4 into the Windows Run box. (Note: This method works everywhere (the entire world) and is valid for Win10/8/7 and Vista.)

The Microsoft end of the by-phone activation process is mostly automated. But you’ll have to answer some questions and do some keyboard entry. Simply dial the number and listen to and follow the recorded instructions; you’ll be given a new activation key to type into Windows.

If you need further help, see:

• “Activation in Windows 10” – MS article
• “How to troubleshoot Product Activation in Windows 10” – MS Answers article
• “Install, upgrade, & activate” – MS article

What’s safe to remove from the startup queue?

Depending on your setup, Windows startup might load some apps, a bunch of apps, or even no apps at all. The more apps that load this way, the longer will be your PC’s startup time.

That prompted Barry Karas to ask:

• “What are the essential startup programs in Windows?”

Although many apps might place themselves in the startup queue, there are very few that must run when Windows boots. In fact, Windows can boot without anything in the startup queue!

What’s in your startup queue? Here’s one easy way to find out:

• Win7 and Vista: Enter msconfig into the Start/Run box and then select the Startup tab.
• Win10/8: Enter taskmgr in the right-click Run box and then select the Startup tab. (If Task Manager’s initial dialog box doesn’t have a Startup tab, click the More details link to reveal it.)

Items listed on the Startup tab are preloaded into memory at boot time. This allows the apps to start working right away, or to be ready for a fast response when you call on them later.

But this preloading process is a tradeoff. It takes time to loading these apps, which makes your startup process slower.

Conversely, if an application isn’t loaded at startup, you should have a somewhat faster startup but opening the software later might take a skosh longer. Again, it’s a tradeoff.

In some cases, preloading is a good thing. For example, you obviously want your full-time anti-malware program and other security tools up and running as soon as possible. If this type of software appears in your PC’s startup queue, it’s probably best to leave it alone.

Other, less-essential apps can be in the startup queue for no good reason. These apps may be safely removed or disabled.

For example, I’ve seen some print managers load at startup. But why? Who prints anything before Windows even finishes loading?

There’s usually no harm in removing this kind of software from the startup queue. For example, that non-preloaded print manager will still load and work normally later, when you actually print something. But the first print job might take slightly longer to get started.

It’s usually safe to experiment with startup apps. In msconfig or taskmgr, disable whatever startup apps you think don’t require preloading. Next, reboot the system and see what happens. The usual result should be a slightly faster startup and slightly slower first-use of whatever app you removed from the startup queue.

Later, if you prefer that Windows preload a given app, just re-enable the app on msconfig‘s or taskmgr‘s Startup tab.

Win8/10 users note: The Startup tab on Task Manager is a power-user’s delight. Not only does it list all software that normally launches at Windows’ boot, it also shows you whether an app has a high, medium, low, or no impact on startup time. This makes it incredibly easy to key in on the apps that might be slowing down your system startups. For more, see the June 12, 2014, Best Practices, “A visual tour of Win8’s new Task Manager.” Win10’s Task Manager is essentially identical.

Best new PC: Build, spec, or buy off the shelf?

Alan Burt needs a new PC, but is unhappy with the choices available to him.

• “What happened to our ability to custom-configure new computer purchases? Now all I see is off-the-shelf computers.

  “By being able to custom-configure my new computer purchase, I feel that I got what was important to me in regard to CPU choices, amount of memory, hard drive/SSD, DVD/Blu-Ray, ports, and other choices.

  “Based on my past experiences, I was also assured that the combinations I configured had been tested by the manufacturer as being compatible.

  “Is the current lack of custom-configurability a temporary state, until computer manufactures get rid of their backlog of ready-made computers?”

No, I don’t think it’s a temporary thing: It’s much cheaper for manufacturers to crank out large numbers of PCs in a few standard configurations than it is to allow for extensive customization.

Standardized setups also help to reduce after-sale support issues, further reducing costs.

But if you can’t find a ready-made PC that meets your needs, it’s still possible to configure your own. You can start with what’s called a bare bones kit — a box, mainboard, cpu, and power supply — and add on whatever other hardware and peripherals you wish. Or you can go even further and buy all the components as separate pieces, either singly or as assemble-it-yourself kits.

For example, check out offerings from Newegg, TigerDirect, MicroCenter, CPUsolutions, and others.

You also can search online for kits (e.g., enter “build it yourself pc kit”) or individual parts (e.g., enter “computer memory,” “cpu,” “computer case,” “PC power supply,” and so forth).

But before you dive in with a do-it-yourself PC, shop carefully to make sure that there really are no factory-built models that meet — or almost meet — your needs. Rather than do the whole thing from scratch, it might be cheaper to buy a PC that is almost what you want; then make a few modifications such as adding RAM or an SSD.

Back in the day, I used to assemble or kit-build almost all my PCs, but due to today’s commodity-level pricing for common PC parts, I no longer do so. It’s just not worth it.

So, again, shop carefully. You just might find that it’ll actually cost you more to assemble your own custom PC than to buy a similar unit off the shelf!

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum. To rate this or other stories, click over to our polls page.