This was a busy month in tech news. Here’s what I’m covering this month:
- Four separate (and major) WordPress plugin vulnerabilities
- Two reasons to make sure you apply February’s Windows 10 patches
- Is Apple giving higher performance to its lowest-priced computers?
- Lots of Google/Android news – some good (Chrome) some bad (SHAREit, iOS apps)
- Samsung supports Android even more than Google
- A clever new way for websites to track users that is currently unblockable
- Update your Adobe apps!
Depending on how you look at it, this was either a very good or very bad month for WordPress security.
- Contact Form 7 Style: Note, this is not the same plugin as Contact Form 7. This is a separate plugin with a smaller user base. Unlike many of the vulnerabilities I mention, this one doesn’t have a “happy” ending. The plugin author was notified about vulnerabities in their plugin in early December of 2020. The plugin was removed from the WordPress repository after the developers failed to respond to these notifications. If you have this plugin on your site, you should remove it immediately.
- Responsive Menu: A plugin designed to help users create custom menus with over 100,000 installations. Three different vulnerabilties provided ways for attackers to upload arbitrary files on your web server. These could lead to remote code execution and a site takeover. A patch was released on January 19 (version 4.0.4) that removed these vulnerabilities. Make sure you’re running at least that version to protect your site.
- NextGen Gallery: A plugin used to create stylized image galleries with over 800,000 installations. Two vulnerabilities were discovered, both which would allow remote code execution on the compromised site and a site takeover. A patch was released on December 17 that closed these vulnerabilites, but as of this writing over 500,000 sites were still vulnerable. The patched version is 3.5.0, so make sure you’re at least at that version.
- Ninja Forms: A very popular plugin for creating forms, this plugin has over 1 million installations. Four separate vulnerabilities were discovered in this plugin in late January, and Ninja Forms patched all four on February 8. All four of these vulnerabilities could potentially lead to a site takeover (although not all four are equally easy to exploit), so it’s important to make sure you’ve updated to the patched version (3.4.34) immediately.
Like I seem to say every month or two, there are only two ways to run a “safe” WordPress site. Either you shouldn’t use any plugins, or you must be very selective about the plugins you do install and keep them up-to-date. Anything less is inviting a site takeover (or worse).
If you need help managing your WordPress site, want a new (or redesigned) site, or just have some questions, please get in touch with me. I have WordPress maintenance plans designed to keep your site safe and secure, and I’m happy to answer any questions you may have!
Make sure you install Microsoft’s most recent security patches that were released this past Patch Tuesday (February 9), since they fixed a couple of vulnerabilities.
The first (and more concerning) vulnerabilty has been seen in the wild since mid-2020. The attacks using this vulnerability (which exploits the win32k.sys core kernel component) appear to primarily be targeting devices in the Middle East. This attack does require the attacker to have a foothold on the targeted machine, but this can be obtained either by physical presence or (more likely) by an initial phishing email that infects the target.
The second vulnerabiltiy is actually a vulnerability in Windows Defender – which is the built-in antivirus/malware detector software in Windows 10. Fortunately, it looks like this exploit hasn’t been used in the wild, but since it has been discovered (by Microsoft fixing it), you can expect to see attackers attempt to exploit it on unpatched Win10 machines.
If you haven’t heard, Apple recently released some new computers with their own in-house processors, rather that the Intel chips they’ve used since 2006.
These new processors are quite impressive in a lot of ways, both in terms of performance and power consumption. They aren’t perfect, and there are some very specific things that they won’t do (like run Windows via Bootcamp), but in a lot of ways they are incredible computers.
Just to be clear, Apple is not in the habit of putting the highest performance computers in the lowest price tier. But for a lot of use cases, that is exactly what has happened.
I recently traded in a 2018 Mac Mini for a 2021 M1 Mac Mini, and the M1 Mini was about $200 cheaper. It’s also quieter, cooler, and faster for lots lof things. I haven’t personally used it, but the M1 MacBook Air has the same processor as my Mini, with similar performance and much longer battery life than the previous Intel MacBook Air.
All I can say is that if you’re looking for a new Apple computer, the lowest-price computers outshine Intel for a lot of users.
Google (and Android)
SHAREit app vulnerability
The SHAREit app is an incredibly popular app in Google’s Play Store, but several security flaws could be used to either view user’s personal data or execute code on an Android device with SHAREit’s permissions. Since SHAREit is a file-sharing app, it has permissions to access user storage, photos, camera, microphone, delete files, and more.
Fortunately this vulnerabilty appears to be an oversight, since SHAREit was patched a few days after this vulnerability was reported in the media. If you have this installed on an Android device, make sure you update to the most recent version.
While Google Stadia is active (for now) some grim news appears to be on the horizon, since Google shut down it’s in-house game studio (Stadia Games and Entertainment).
This shutdown was a surprise to the developers in the studio, according to this report by Kotaku. In the report, Stadia’s leadership sent an email a week before the studio shutdown praising the Stadia developers and looking forward to 2021, all while knowing a shutdown was looming.
It’s a pretty bad look for the culture at Google, and doesn’t inspire confidence in their products and services.
iOS Apps Not Updated for Months
An interesting thing has been going on with Google’s iOS apps for the past couple of months.
When iOS 14 was released last year, Apple promised several privacy and data-protection feattures would be forthcoming.
One of those features were app “Privacy Nutrition Labels” in App Store listings. These listings show all information collected, used, and shared by the app. These labels were required for all app updates starting on December 8, 2020.
Coincidentally, Google apps (including incredibly popular ones like GMail, Drive, Maps, Photos, etc.) have not been updated since December 7th.
It’s not because there’s nothing new, either. Since December 8th, Google apps on Android have received between 3 (Home) and 27 (Search) updates. iOS apps have received zero. You can see a chart at the bottom of this Ars Technica post.
Again, not a great look for Google.
Chrome 0-Day Patched
One place where Google is doing well, however, is in keeping its Chrome browser secure and up-to-date.
An actively-exploited zero-day vulernability was found in the Chrome browser in late January, and it was patched a little over a week later, on February 4th. Hopefully you’re letting Chrome do its auto-update dance every week or so, but if you haven’t lately, make sure you give it a chance to update today!
When I was a die-hard Android user, there was only one phone that pulled me away from the Nexus phones.
That phone was Samsung’s Galaxy Note 3. It certainly had some faults, but I loved that phone.
While Samsung has certainly had issues over the past few years (Galaxy Note 7 battery issues, slow or nonexistant updates, a bloated UI), it looks like they are making some concerted efforts to turn things around.
A recent press release from Samsung indicated that they will provide 3 years of OS updates and 4 years of security updates. Google currently only offers three years of both OS and security updates for its Pixel line of phones.
In addition, famously-thorough device reviewer Anandtech has given Samsung’s newest flagship phones: the Galaxy S21, the Galaxy S21+ and the Galaxy S21 Ultra a very positive review. Released last month, these phones all feature improvements over their predecessors, and a $200 price drop for US customers.
In recent years there has been a push from consumers and certain tech companies to reduce the ability of websites to track users across the internet.
Such measures include using incognito mode, anti-tracking browser extensions, and rejecting 3rd-party cookies (or deleting them).
However, researchers from the University of Chicago shows an ingenious way that a website can track its visitors – browser favicons. The favicon is a small icon that appears next to the websites’ name in browser tabs or lists of bookmarks. If you’re curious about the specifics, check out the research paper itself.
It’s incredibly clever, and right now it works on Chrome, Safari, and Edge browsers. Its should work on Firefox, but apparently a Firefox bug prevents it from working as intended. I imagine that most browsers will take steps to reduce (or eliminate) its effectiveness soon.
If you’re using Adobe products, make sure you’ve updated them recently.
Security updates released for Adobe products in early February fixed 50 vulnerabilities in 7 of Adobe’s popular programs. Affected programs include Adobe Reader, Acrobat, Dreamweaver, Photoshop, Illustrator, Animate, and Magento.
One particularly nasty vulnerability that was fixed addressed a bug in Adobe Reader that would allow a malicious website to remotely execute code on a visitor’s computer. This code could cause almost anything to happen – from installing malicous programs to taking over your computer.