Like the past few months, August had no shortage of stuff happening in the tech world. Lots of WordPress updates, some TikTok thoughts, and a new Android phone from Microsoft.
WordPress Security
Lots of WordPress plugins received patches this month!
Here’s the list of the major ones:
- Discount Rules for WooCommerce WordPress plugin: This is an important one! This plugin is popular (over 30,000 installs) and losing control of website with customer’s payment information is a blow for trust. According to a BleepingComputer report, it looks like about 17,000 sites are still exposed as of this writing. If you have this plugin, make sure you’re at version 2.1.0 or later.
- Divi, Divi Builder, and Extra Themes: All created by Elegant Themes. Divi and Extra are extremely popular custom-theme plugins installed on about a quarter-million sites. Patching this vulnerability is critical, since it can lead to an attacker executing code remotely on your server.
- Newsletter Plugin: This vulnerability was discovered in mid-July and potentially impacts the 300,000+ sites that have this plugin installed.
- Quiz and Survey Master (QSM): A vulnerability in this plugin would allow unauthenticated attackers (meaning anyone) the ability to upload files to your site. These files could be used to achieve remote code execution or delete important files, which could take a site offline. This is obviously a serious vulnerability, and anyone using this plugin should update to version 7.0.1 or later immediately.
- Official Facebook Chat Plugin: A vulnerability in this plugin would let any authenticated user connect their Facebook Messenger account to a vulnerable site and chat with visitors, masquerading as the actual business. Obviously, this would open up lots of dangers for social engineering and reputation damage. Upgrade to 1.6 or later for a fix for this issue.
As always, if you’ve got a website (and you should) it’s more important than ever that you keep it up-to-date. If you need help or have any questions, feel free to contact me!
Malware News
Canon
You’ve probably heard that Canon suffered a major security and data “event” late July and early August.
Canon initially denied that this was ransomware attack and claimed “no leak of internal data”. However, it turns out this wasn’t the case.
While Canon was able to get most of their systems back up to speed after a few days, a cybercriminal group called Maze has begun to release data they claim was stolen from Canon. This most likely means that Canon had backups and did not pay the ransom.
Maze claimed to have stolen 10 terabytes of data, and the initial release was about 5% of that total.
Curiously, Canon also suffered an outage on their image hosting subdomain image.canon at the same time as the ransomware attack. Canon users get 10 GB of free data storage, and apparently some users lost original images and videos.
This outage doesn’t appear to be connected to the Maze attack, however. But it’s a good reminder that if you have valuable data, make sure you have redundant backups.
Microsoft Windows Update
If you’ve been putting off Windows updates since on (or before) August 11, you should get those done ASAP.
The August Patch Tuesday fixed 120(!) vulnerabilities in Windows, including two major issues that are currently under active attack.
One of these two allows an attacker to bypass digital authentication checks, allowing users to unwittingly install malware without any sort of warning from any installed antivirus software.
The second actively-attacked vulnerability involves the ability of malicious websites to automatically install malware when a user visits a site the Internet Explorer browsing engine. While most users (thankfully) aren’t using IE anymore, it’s worth noting that other applications (like Microsoft Word) can also use the IE browsing engine with certain content. This is a very important patch to install.
The good news is that it doesn’t appear that this month’s patch has caused any strange or unintended issues, so you should be safe to install it and get these vulnerabilities fixed without worry.
Smartphone News
Qualcomm Vulnerability
Some bad news for almost 100% of the Android phones in use today – Qualcomm processors have a vulnerability in their DSP chip which could allow attackers to spy on your phone, create permanent malware, or take control of your phone.
The DSP (Digital Signal Processing) chips are used by modern smartphones (and other devices like televisions) for audio and image processing. The vulnerability found exist on chips by Qualcomm, which power almost every single Android device currently released. Including devices by Samsung, Google, OnePlus, LG, Xiaomi, and more.
The good news is that Qualcomm has already patched the security vulnerabilities present in the DSP chips. The bad news, if you’ve followed anything Android-related, is obvious. Some phones will be patched immediately, but some users will wait months for patches to be issued. A sizable portion of the vulnerable devices will never be patched.
This is why the shoddy support of Android (by some vendors) may be one of the biggest modern security issues today.
TikTok Security Threat
There have been lots of accusations thrown around about TikTok being a security threat and being banned (or bought out). The issue is, of course, quite nuanced and I’ve seen a lot of silly claims being thrown out.
Here’s my take on it:
Some are claiming that the TikTok app is dangerous, but there’s no evidence of this. While TikTok is certainly doing some questionable things (like their clipboard scraping), these things are being done by American-owned companies too.
There’s no evidence that the TikTok app, either on iOS or Android, is stealing your email or other information, outside of what is allowed by the operating system.
The best evidence comes from that fact that TikTok is still present in both Apple’s and Google’s app stores. If the security professionals at either of these companies had any sort of idea that TikTok was circumventing OS-level protections, I don’t think they would waste any time in banning the app. Especially Apple, who has made consumer security and privacy a core issue of the iPhone feature set.
The biggest danger from TikTok doesn’t come from the app, but from the control that TikTok has over its user’s attention.
Surface Duo
Microsoft’s first Android phone – the Surface Duo – has certainly made quite an entrance.
This phone has has dual 5.6-inch screens joined by a 360-degree hinge, a single camera, a (small) 3,577 mAh battery, Surface pen support, and a big price tag of $1,400 for the 128GB storage version.
This certainly is a very unique take on a phone that can transform into a tablet-like device, and it will be interesting to see how it works in the real world. Preorders are open now and it’s set to ship on September 10.
