July 2021 Tech Roundup

This month Microsoft seems to have their hair on fire again – this time one of the biggest vulnerabilities is not in some obscure program – it’s in the software drivers that let users print. And it’s not just a single vulnerability in the printer driver, either. Yikes.

Additionally, there was one (big) WordPress vulnerability, a ChromeOS “whoopsie”, Google Play Protect doesn’t do what it should, several Android apps stole Facebook login credentials, ISPs spend a lot of money on lobbying, and more!

WordPress

Even though only a couple of things happened this month in WordPress news, they were both quite big!

WooCommerce Vulnerability

A vulnerability was discovered earlier this month by a security researcher named Josh from DOS (Development Operations Security). The SQL vulnerability would allow unauthenticated malicious actors (essentially anyone browsing a website) to access arbitrary data in an online store’s site database.

WooCommerce responded incredibly quickly, releasing patched versions of WooCommerce the very next day.

Additionally, due to the severity of this vulnerability, many WooCommerce-enabled sites were updated automatically to the secure version. If you have (or manage) a WooCommerce site, make sure that you’re on the most recent version. The vulnerable versions of the WooCommerce plugin include 3.3 through 5.5.

You can find more information about the vulnerability and the patch on this WooCommerce blog entry.

WordPress 5.8

The second major WordPress release of 2021 – WordPress 5.8 Tatum – was rolled out this month.

It includes additions to the default Gutenberg editor to create more variety in page layouts, additional widgets and template features, a global theme.json file, removing support for Internet Explorer 11 (finally!), and more.

You can see the release notes here, or if you want to go more in-depth, the developer-friendly Field Notes are available here.

Microsoft’s PrintNightmare

It was another bad month for Microsoft. Earlier this year it was Exchange Servers, this time it was printing. That’s right – an attacker can take over a computer (or even a whole network) by exploiting vulnerabilities in printer drivers!

Due to some mistakes on the part of security researchers and Microsoft, it’s been difficult to keep track of exactly how many printer driver vulnerabilities there actually are in Windows. Ars Technica put together a good summary of the issue at the beginning of July, but additional vulnerabilities in the print spooler service forced them to write another article that recommended users disable the print spooler service entirely.

It goes without saying at this point, but make sure that you keep your Windows machines updated. This month’s security patches fixed 117 vulnerabilities in Windows with 9 of those being zero-days (and 4 of those being actively exploited in the wild).

Additionally, while this update broke scanning and printing functionality on some systems (because of course, it did), Microsoft released an additional patch earlier this week to try and get that working again.

As if to further pile on these printer problems, a 16-year-old bug was found in the driver software for HP, Xerox, and Samsung printers which would allow an attacker to increase their account privileges on a machine to take over a machine (or network). This vulnerability is located in the printer driver and is present even when these printers are not connected to the computer. You can find a complete listing of the infected printers here (be warned – it’s a long list)!

If you’re looking for some positive Microsoft news for this month, they have released a bit more information about the newest Windows 11 changes. While these do look nice, I hope that they’ve spent as much time fixing the code as they have with the new look!

Google

Chrome

Google Chrome’s security team continues their great work – they patched another actively exploited zero-day flaw this month. If you’re keeping count, that is 8 zero-days patched so far in 2021!

Additionally, a new feature coming down the pipeline looks like an HTTPS-only mode. I’ve written about the importance of using HTTPS even if you don’t deal with secure user data, and it’s nice to see Chrome offer this as an option. Firefox also offers this feature, and while it’s currently disabled by default on both browsers, hopefully, HTTPS will become the norm rather than the exception soon.

ChromeOS

ChromeOS had a bit of an issue late this month when an automatic ChromeOS update pushed a single-character typo to some users. The typo had the incredibly unfortunate side-effect of locking users out of their devices, essentially making them useless.

The update was pulled relatively quickly, but it’s unclear exactly how this typo made it all the way to production devices. ChromeOS has three pre-release channels: “canary”, “dev”, and “beta” that should catch an issue like this before it makes it to regular users.

If you’re affected, there are a few options available on Google’s Customer Care portal. Some involve power washing your system (which will delete any locally stored data) while you can also simply wait for a new update to be installed to your system.

Google Play Protect

Google Play Protect – the built-in malware detection system for Android devices – was put to the test by AV-TEST. And it did not do well.

According to the AV-TEST results, Google’s protection software score last out of the 15 Android security apps AV-TEST analyzed.

Five of the tested security apps (Bitdefender, G DATA, McAfee, NortonLifeLock, and Trend Micro) detected 100% of the malware samples that were given, while Play Protect managed only a 68.8% detection rate. Additionally, Play Protect incorrectly flagged 70 apps (out of 10,000) as malicious when they were actually harmless.

Bitdefender, G DATA, McAfee, NortonLifeLock, and Trend Micro. If you’re running Android, maybe you should use a second security app.

Android Apps Stealing Credentials

A collection of nine Android apps – with a combined download total of 5.8 million downloads – were caught stealing user’s Facebook login credentials.

The apps were fully functional apps that contained ads. Users had the option to download into Facebook to remove these in-app ads. However, the Facebook login screen, while real, would secretly steal your Facebook username and password and transfer that information to the attacker.

The infected apps include:

  • PIP Photo
  • Processing Photo
  • Rubbish Cleaner
  • Inwell Fitness
  • Horoscope Daily
  • App Lock Keep
  • LockIt Master
  • Horoscope Pi
  • App Lock Manager

The apps have been removed from the Google Play store. If you have installed any of these apps, make sure to remove them from your phone, check your Facebook account for any suspicious activity, and change your Facebook password!

Apple

A fix for a zero-day vulnerability that impacts iPhones, iPads, and Macs has been released this month. Since it appears that this vulnerability has been exploited in the wild, it’s recommended that all users update to either iOS 14.7.1, iPadOS 14.7.1, or macOS Big Sur 11.5.1.

Since the patch is out, it’s only a matter of time before more attackers reverse-engineer the nature of this vulnerability, and attacks (or attempted attacks) using this vulnerability are expected to increase. Make sure you update all your Apple devices ASAP!

ISP Lobbying

ISPs spent a lot of money lobbying Congress in 2019 and 2020.

According to a report by CommonCause, a watchdog group based in Washington, DC, here are what some of the top ISPs spent on lobbying over the past two years.

  • Comcast spent $43 million
  • AT&T spent $36.3 million
  • Verizon spent $24.8 million
  • Charter spent $24.4 million
  • The NCTA – a trade group for TV and broadband internet providers – spend $31.5 million
  • The CTIA – a trade group for wireless providers – spend $25.3 million

And with all this money, here’s what they got:

  • They killed the “Save the Internet” bill that would have prevented ISPs from slowing traffic, blocking services, or zero-rating (counting only specific apps toward a data cap). This
  • They killed the “Internet for All” act that would have required ISPs to invest in infrastructure build-outs, publicize broadband data prices, and eliminate laws preventing municipal broadband networks.
    • They also fought successfully against the RESILIENT Networks Act (which requires communication providers to coordinate in times of emergency) and the CONNECT at Home Act (prohibit ISPs from canceling service during and up to 180 days after the COVID-19 pandemic is over).
  • They fought (unsuccessfully) against the Broadband DATA Act, which will require the FCC to create more accurate maps of broadband availability around the county.

You can see a complete breakdown of the spending and more information about ISP lobbying in the full report.

Miscellaneous

QNAP

If the Western Digital fiasco taught us anything, it’s that all your devices that can touch (or be touched) by the internet need to have ongoing security updates.

If you’ve got a QNAP NAS device, a couple of significant vulnerabilities have been found and patched in the most recent version of the QNAP software. If you haven’t updated your QNAP device lately, make sure you do that ASAP!

NSO Group

It turns out that the world of private spyware is bigger than anyone suspected.

The NSO Group is an Israeli spyware vendor that claims to provide spyware to legitimate governments or government agencies to “investigate terrorism and crime” and that its software “leaves no trace whatsoever”.

A report by Amnesty International conducted an in-depth forensic analysis of NSO’s Pegasus spyware and found that both of these statements are highly suspect.

While the danger to the “average” user is relatively low – since these are highly-targeted attacks – the fact that the NSO may sell spyware to governments that use it to target journalists, activists, political opponents, or even high-ranking executives is troubling.