It seems very on-brand for 2020 to end with some wild security news. Google outages, major Android apps with vulnerabilities, a no-click (and wormable) iPhone exploit, and, of course, SolarWinds.
WordPress
The good news (such as it is) is that there wasn’t much happening in WordPress this month.
- Contact Form 7: A very popular plugin with over 5 million installs. Like its name suggests, this plugin allows the website owner to create contact forms and upload files. While Contact Form 7 did have protections in place to sanitize malicious uploads, the vulnerability shows that it may be possible for an attacker to bypass some of these sanitation methods, thereby allowing a malicious file to live on your web server. If you have Contact Form 7, you should update immediately, but this vulnerability only affects users that have file uploads enabled on contact forms. The patched version is 5.3.2.
- PageLayer: A plugin with over 200,000 installs had a vulnerability discovered in early November that would allow an attacker to execute malicious JavaScript in a site adminstrator’s browser. Properly crafted, this code could lead to a site takeover. A fix for the vulnerability was released on November 9 (version 1.3.5). Make sure you update!
About the only other big WordPress news this month was the release of WordPress 5.6. This update does have some new features, and does have some behind-the-scenes changes, so it’s important that you back up your site before you update!
As always, if you need help with your WordPress (or SquareSpace, Wix, or raw HTML) web site, please contact me! My WordPress Maintenance Plan will help keep your site secure. If you need a new site (or just a new look) we can work together to make something that will help you and your business grow!
Google’s Killing…
This month, Google didn’t mess around with killing both physical products and software.
Google is discontinuing the Google Home Max – Google’s biggest and most expensive ($400) speaker.
The Google Home Max went on sale in 2017, but (likely) never sold in the same numbers as the orginal Google Home or Home Mini. Both those speakers have been replaced Nest-branded devices (the Nest Audio and Nest Mini). Google has not yet announced a replacement for the Home Max.
Speaking of ignored…Google is also killing Android Things – Google’s IoT platform – in January of 2021.
Android Things was supposed to be a stripped-down version of Android, suitable for use small IoT devices, but the OS never caught on with device manufacturers. Google never sold an Android Things-powered device.
Google Services
You’ve probably heard about the Google outage that happened on December 14th. It was fixed quickly, but it took down almost all of Google’s services. Google Maps, Google Drive, GMail, Youtube, Google Calendar, and more were all down.
According to BleepingComputer, the outage wasn’t caused by a network attack, but rather by Google’s Identity Management system running out of storage space to properly verify authenticated users were logging in.
Proof that no company is above having technical difficulties!
Android Vulnerability
Several popular Android apps are vulnerable to an attack that allows a malicious app to steal sensitive data, like login credentials, messages, contact information, and other data.
The catch – the vulnerability is not in the apps, but in the Google Play Core Library, which has security bug.
The vulnerable apps are still using an older, unpatched version of the Google Play Core Library. The only fix is for the developer of the app to update their Google Play Core Library version to use the latest version.
This is (generally) very simple, but it has to be done by the developer. There’s no way for end-users to patch or fix the vulnerable apps themselves. The vulnerable apps include:
- Microsoft Edge browser
- Viber
- Cisco Teams
- Moovit
- OKCupid
- Grindr
- Xrecorder
- PowerDirector
- Booking
As you can see, there’s some very popular apps in this collection. Hopefully the developers will update these apps soon! This is just additional proof that in the internet-connected world, updates matter.
Apple
A pretty incredible iOS vulnerability was found that allowed an attacker to remotely compromise an iPhone over the air and without any user interaction.
Google’s Project Zero found the Holy Grail of exploits for the iPhone. An attack that would allow an attacker to remotely compromise an iPhone over the air (and without user interaction). The technical details are fascinating (you can read them here), and show how chaining together exploits can lead to a full device takeover.
One big plus, though, is that this vulnerability was patched back in March, 2020 in iOS 13.5. Since this iOS version is available for iPhone 6S or later, it’s likely that a majority of iPhones are patched.
Still, this is an incredible case of using a single vulnerability to completely take over a phone. If that wasn’t bad enough, this attack was wormable – so it could spread to other, nearby iOS devices. If you’re interested in the technical details, check out the Project Zero link!
SolarWinds Hack
By far the biggest news this past month (and likely for 2020) is the far-reaching hack on the security company SolarWinds.
This story was first broken on December 8, when security company FireEye revealed it was the target of hacking. Initially, it was not known how FireEye’s security was penetrated, but they did discover several proprietary tools that were stolen. They quickly understood that this was the work of a very competent hacking group.
A few days later (December 13), FireEye (with help from numerous other sources) was able to determine the source of the intrusion was SolarWinds’ Orion IT software. Hackers had penetrated SolarWinds security back in March(!) and added a backdoor to a legitimate Orion DLL. This backdoored file then was sent out to 18,000 Orion customers.
It’s not clear what this backdoor could do, but possibilities range from giving attackers access to networks, installing malware, stealing data, etc.
The good news (as it were) is that it appears that not all 18,000 potential networks were breached. This points to a very professional and well-organized group, however, since they only went after their primary targets. The bad news is that after discovering this intrusion, it’s basically impossible to guarantee the security of the compromised networks.
As of today, the current list of known victims includes:
- FireEye
- Microsoft
- VMware
- US Department of the Treasury
- US State Department
- National Institute of Health
- Department of Homeland Security
- Department of Energy
- US National Nuclear Security Administration
Only time will tell the fallout from this. But since malicious actors have likely been in multiple US government networks for months, it won’t be good.
Leave a Reply