It was (another) busy month in security and technology news – but that seems to be a constant theme these days.
This month I discuss the Apple event, Google’s FLoC (which is not popular), Facebook’s new(est) breach, lots of tech obituaries (from Android, Microsoft, and Logitech), and, of course, WordPress.
This was a busy month in WordPress security! Are you keeping your site up-to-date?
As always, we start with some of the most impactful plugin vulnerabilities.
- Redirection for Contact Form 7: This is a plugin designed to bring extra features to Contact Form 7. A collection of vulnerabilities in this plugin could allow a relatively knowledgeable attacker with subscriber-level access the ability to delete posts, install arbitrary plugins (which could contain additional vulnerabilities), and execute code on a compromised site. These vulnerabilities were patched in version 2.3.4
- Various Elementor Extensions: The Elementor plugin is designed to make page design easier. In addition to providing a wide variety of page creation functionality, it also has an extensive ecosystem of plugins that can hook in to Elementor to provide additional functionality. I mentioned one such plugin vulnerability last month (in The Plus Addons for Elementor), but it turns out there were more with different vulnerabilities. Some of the vulnerable plugins (that have now been patched) include:
- Essential Addons for Elementor
- Elementor – Header, Footer & Blocks Template
- Ultimate Addons for Elementor
- Elementor Addon Elements
- WooLentor – WooCommerce Elementor Addons + Builder
- PowerPack Addons for Elementor
- And many others. You can find a complete list on this WordFence post.
WordPress Hacking Bounty Increased
A company called Zerodium is increasing its payout for any hackers that find and exploit remote code execution (RCE) in WordPress core.
The new payout is $300,000 – a 3-fold increase from the previous $100,000 payout. To get the payout, the exploit must work on a new, clean version of WordPress with the default configuration and no user authentication.
While this isn’t a problem yet, this means that hackers are going to be taking a much harder look at WordPress, so it may be more important than ever to keep your site updated and locked-down. (*Ahem*)
PHP Hacked (Kind of)
There was a lot of news made about a couple of recent malicious commits to PHP’s internal Git server.
While there’s still some questions about what exactly happened, the most important thing to realize is that no public versions of PHP were compromised. Additionally, the PHP folks are making some changes to their infrastructure to (hopefully) prevent something this from happening again.
Apple had their “Spring Loaded” event this past week, and announced new and updated products.
This means that Apple now has a single processor that powers:
- A small, fanless, touchscreen computer
- A laptop (with or without a fan)
- A small, standalone desktop
- A large, 24-inch 4.5K desktop
And more importantly, it seems to do all of these things well – although we don’t really know about how it will function in the iMac yet.
Intel is clearly feeling the heat. Some slides from Intel released back in February attempt to poke holes in Apple’s new processors, but they fall a little flat. The slides cherry-pick some very questionable attributes and primarily use Intel’s own in-house benchmarks. For example, in one slide they claim that the M1 MacBook “failed” basic tasks like switching to a calendar in Outlook or starting a Zoom conference. I’ve been doing both of those on a regular basis with my M1 Mac Mini, and it’s worked fine.
Additionally, Apple released iOS and iPad OS 14.5 this week. The big feature of this update is probably the App Tracking Transparency features that will default to blocking companies from tracking you across apps and web sites. You can enable tracking, if you desire, but it is off by default. Other features include the ability to unlock your iPhone with an Apple Watch if you’re wearing a mask, support for the new AirTags, and updates to various Apple apps.
Some of the biggest news this month is the announcement and rollout of Google’s new tracking technology – FLoC (Federated Learning of Consorts). I already talked about it in some depth (you can read it here), but one of the most interesting things to happen around FLoC is just how much pushback there has already been against it.
Several browsers that use the open-source (Google-supported) Chromium engine (Brave, Vivaldi, Opera, Edge) have said that they likely won’t support FLoC.
The biggest two non-Chromium browsers (Firefox and Safari) have also said they won’t support FLoC.
The privacy-focused search engine DuckDuckGo has said they will not support it on their site or their mobile browsers, and have even come up with a Chrome plugin to disable FLoC in Google Chrome.
WordPress may also include code in its codebase that would make websites default to not tracking or setting FLoC identifiers, although that code be changed by individual site owners.
Right now, it seems like the only browser moving forward with FLoC is Chrome, so if you want to avoid FLoC, try out another browser.
Here is a list of services that Google is killing this month.
- Google Play Movies & TV for smart TVs: Google says that purchased media will be available in the Youtube app. It’s worth noting, though, that new purchases made on Youtube don’t (yet?) support family sharing, and TV watchlists aren’t being transitioned. There are also reports that some content lacks HDR or surround-sound support that was present on Play Movies & TV.
- Google Shopping App: I don’t know anyone that uses this, but if you do, it’s going away. Its content can be found in the “Shopping” tab of Google search.
- Google Pay: This isn’t dead, yet, but Google is transitioning users from one service called Google Pay to a new service (with fewer features) called, you guessed it, Google Pay. If you want more information on what this may look like, this Ars Technica article covers it much better than I can.
The news for Android was actually mostly quiet for this month, but a couple of interesting stories caught my eye.
LG Calls it Quits
The saddest bit of news is that LG is officially getting out of the smartphone business. This isn’t exactly a surprise, since LG’s mobile division has had 6 straight years of losing money.
In the mid-2010s, LG created some very nice devices in partnership with Google, like the Nexus 4 and 5. However, the Nexus 5X (which had a widespread bootlooping issue) was my last use of an LG device. Since then, many of their phones have been poor copies of Samsung devices, or gimmicky phones without great long-term support.
It’s a shame to see any competition leave in the Android ecosystem, but this is not one that is really surprising.
Pixel 5 GPU
An interesting bit of news from the most recent Android security update – Google managed to improve GPU performance up to 50% for the Pixel 5 and Pixel 4a (5G) phones.
While this is definitely an impressive improvement, it merely brings these two phones in line with other Android devices using the same chipset (Snapdragon 765G). This really speaks to how poor the phone’s launch performance was.
A tweet from Anandtech’s Andrei Frumusanu really sums it up:
I can confirm that performance has been essentially doubled from the scores published there, and in line or better than other 765G phones. Tested on Pixel 5. The fact it took 6 months is sad though.
You can read how bad the original performance was in Anandtech’s initial Pixel 5 review.
Starting at the beginning of this month, Microsoft announced that the Cortana app would no longer be available or supported on all iOS and Android devices.
Cortana does still exist on Windows 10, though, and is present in many Microsoft applications, like Office 365.
Microsoft is also getting rid of Calibri as the default font for content in Microsoft apps (like Office), at some point in the future. It’s not clear exactly what Microsoft will replace Calibri with, though there are a few contenders.
You may remember the big Facebook breach of 2019. Well, if your data was involved in that breach, it’s now easily available in a publicly-accessible database released on a hacking form earlier this month.
Despite the fact that this makes the information easier than ever to access, Facebook says it has no plans to notify users that their data is (once again) exposed. Thankfully, Troy Hunt, the owner of HaveIBeenPwned has started incorporating that data into his brilliant website, so you can see if your information is out there.
Another Facebook leak this month involves connecting Facebook accounts to their registered email addresses, even when the user opts to remain private. The researcher who discovered this vulnerability noted that this is the second time that this technique has been effective against Facebook’s privacy restrictions.
It gets even better, though.
A leak of Facebook’s internal communications (when a Facebook employee accidentally emailed a journalist) gives a glimpse of how they plan to fix these problems in their software.
“Assuming press volume continues to decline, we’re not planning additional statements on this issue. Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly.”
Internet of Things
Logitech’s Harmony line of remotes has officially been discontinued.
Logitech acquired Harmony back in 2004, and the internet-connected remotes have become one of the best things for people trying to control a wide variety of devices in their home. Not only can these remotes control TVs and stereo systems, but they can also be linked to a variety of other smart IoT devices, like lightbulbs and thermostats.
The (small) bright spot is that Logitech says that they will continue to support Harmony for the foreseeable future:
We plan to support our Harmony community and new Harmony customers, which includes access to our software and apps to set up and manage your remotes. We also plan to continue to update the platform and add devices to our Harmony database. Customer and warranty support will continue to be offered.
In reality, though, this starts a ticking clock. Harmony remotes use backend servers to do most of what they do, and eventually Logitech will turn them off. While I plan to use my Harmony remote as long as possible, If you’re looking at buying one now, make sure you get a good price!
If you’ve got a QNAP NAS device, hopefully it’s not connected to the public internet.
Several recent vulnerabilities discovered allow for an intruder to take over your device, read (or delete) data, and get a toe-hold into your network. It looks like most of the most severe vulnerabilties have been fixed, so if you have a QNAP device, make sure you update immediately.
Two bits of legislation may significantly improve the sorry state of broadband internet in the US.
These would be great to have – ISPs are notorious for hiding fees and upload speeds that they don’t want consumers to know upfront.
President Biden has also released his “wish list” of things that he would like to see happen to America’s internet infrastructure. This list includes things like support for municipal or non-profit ISPs, eliminating hidden fees in ISP pricing, and improving access and speeds (especially upload speed) for most Americans.
I think if there’s one thing that this pandemic has showed us, the internet is a requirement for day-to-day living in this society. It’s not just for Netflix and Youtube, but high-speed internet is now an expectation for every family – it should be regulated as such.