June 2020 Tech Round-Up

A very busy month!

WordPress attacks are on the rise, and there are several newly-discovered software vulnerabilities to be aware of. There’s also an announcement about Android vulnerabilities, a phone camera comparison, and Apple’s WWDC Conference had some pretty big announcements!

WordPress

Even More Attacks Than May

Like I mentioned in my tech round-up from last month, there have been a lot of attacks on WordPress in the past few weeks.

It looks like June has been no different, with over 1 million new sites targeted this month. Many of these are using XSS vulnerabilities in old and out-of-date plugins.

As always, keep your WordPress site (and its themes and plugins) up-to-date! If you need help, I can do that for you.

PageLayer Plugin Vulnerability

Another website builder plugin has a vulnerability that allows any logged-in WordPress user to inject malicious code into the pages of a site.

There is a patch for the PageLayer plugin that closes this vulnerability. If you have this plugin, make sure to update right away.

Security

Chrome Extensions Siphon Data

I mentioned the dangers of Chrome extensions back in my February tech round-up article.

Back then it was a security researcher and Google working together to remove dozens of misbehaving Chrome Store extensions with 1.7 million (combined) downloads. In the game of security whack-a-mole, though, that was just a drop in the bucket.

Earlier this month researchers from the security firm Awake reported to Google that 111 extensions (with more than 33 million combined downloads) were siphoning various data (screenshots, keystrokes, browser cookies, and clipboard contents) from unsuspecting users.

You can read the full report from Awake Security here. It’s long and detailed, but flip to page 4 for great summary.

As usual, Google has removed the extensions from the Chrome Web Store, but this is another reminder to not install extensions you don’t need.

Plex Bugs Allows System Takeover

Plex is a wonderful home-media server application that allows you to host your own Netflix. I’ve been using it for years to access all of our DVDs on our Roku, and one of these days I’ll probably get around to writing a bit about it.

However, if you’re running Plex Server on a Windows machine, make sure it’s up-to-date.

It was announced earlier this month that a string of vulnerabilities in the Plex Media Server code could be chained together to allow a full system takeover or move to other devices on the same network.

An update does fix this vulnerability chain, so make sure you update your Windows Plex Server now!

Clever Spam Evades Filtering

A new wave of (almost) perfectly-crafted spam email claiming to originate from Bank of America made it past spam filters this month.

You can read a little bit about what made it unique and how to spot it on BleepingComputer.com.

As always, if you receive any email from a bank or service that asks you to do something, do not click any links in the email. Instead, navigate to the website by putting it’s address in your browser (or searching Google).

UPnP

UPnP – or Universal Plug and Play – is a protocol developed to allow network devices to easily connect and communicate with each other.

This protocol is the computer equivalent of leaving your front door unlocked, though, and so it was only intended to be used on local networks (like inside your house) and never exposed on the public Internet.

Unfortunately, some very popular hardware and software (Windows 10, some HP printers and Samsung TVs, XBox One (OS version 10.0.19041.2494)) used an incorrect implementation of UPnP. The recently-announced Callstranger exploit takes advantadge of this error to allow takeover of your devices.

In general, you should always keep UPnP disabled on your router.

Windows Health Dashboard

It’s gotten more and more difficult to keep up with Windows 10 updates – not only which one is the current Windows 10 version, but which are “safe” and which ones may cause your computer to not be able to print (really).

The Windows Health Dashboard shows the known issues and resolved issues for the 8 most recent versions of Windows (including Windows 7, 8, Server, etc.), with another drop-down to see even older updates.

This is a good place to check before updating your Windows 10 computer.

Privacy

Chrome To Eliminate Web Addresses?

I don’t know why Google keeps messing with Chrome, but they may be getting rid of the ability for users to see the address of the current web page in a future version of Chrome.

A new feature uncovered in the Developer and Canary builds of Chrome reveals an option called “Omnibox UI Hide Steady-State URL Path, Query, and Ref” would hide everything in the address bar except the current domain.

While this would help Google’s AMP pages (3rd-party content hosted on Google’s servers), it seems like a regression for everyone else. Google’s Chrome Browser on Android does already modify AMP URLs to disguise the fact they are Google-hosted.

Maybe now is a good time to move off Chrome.

Mobile

(More) Android Vulnerabilities Patched

If you’ve got an Android phone and you’re lucky enough to get Google’s June Security patch, make sure you install it ASAP.

This patch closes several vulnerabilities in the Android System that are ranked “Critical”. Critical is the highest (and most dangerous) type of vulnerability, so these should be taken seriously.

According to an advisory from the US Department of Homeland Security:

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of a privileged process. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

So, yeah, update. If you have an Android phone that doesn’t get these security patches, you really need a new phone.

WWDC 2020

Apple held their yearly developer’s conference virtually this year, but it appears that the pandemic hasn’t really slowed their development for iOS, iPadOS, and MacOS.

Here are the biggest announcements:

iOS 14: Lots of improvements to Messages and Maps, along with a new (offline) Translate app. The home screen also now has widgets and a feature called App Library, and picture-in-picture is supported system-wide for videos. A new App Store feature called App Slices allows users to use a certain feature of an app without needing to download the entire app (like Android Slices), and certain cars will able to be unlocked and started with an iPhone. Also, phone calls no longer take up the entire screen!

iPadOS: Several Apple apps now have a sidebar for easier navigation, and iPadOS search has been redesigned to take up less screen space and be more useful. The Apple Pencil will also get more support with a Scribble feature that allows the OS to read handwritten text that is used in any text field.

WatchOS: The new Fitness app (previously Workouts) has additional features and workouts to track. The foundations for sleep tracking are present, with a Sleep Mode to track duration and movement during sleep, and a Wind Down feature to improve the quality of sleep. There are also improvements to complications, the ability to share watch faces, and hand-washing tracking.

MacOS: After almost 20 years, MacOS is moving to version 11, with the name Big Sur. This update will have a new interface (with some things looking more iPad-like, like the Control Center), and Messages and Maps will be more iOS-like in features and appearance. Safari will also get lots of privacy enhancements to reduce (or at least show) the amount of tracking that sites are doing.

Apple Silicon: Maybe the biggest story is that Macs are moving away from Intel chips. Intel has had a rough few years, with numerous security issues in chip architecture, improvements by AMD that overshadow many of Intel’s PC chips, and since last year Apple’s mobile chips are faster (in some tasks) than Intel’s desktop chips. It still remains to be seen what Apple’s in-house chips can do. The first systems with these chips are said to be out this year.

Mobile Cameras Head-to-Head

Anandtech.com is one of my favorite tech sites. It gets down into the weeds in a way that few sites do.

If you’re in the market for a new phone (like, if you have an old Android phone) you’ll likely appreciate their mobile phone camera shootout.

The took some of the most popular smart phones (and some that I’ve never heard of) and compared their still photos to a high-end mirrorless camera (Fujifilm X-T30) to see which phones can really duplicate the results from a high-end camera.

They compared the following phones:

  • iPhone 11 Pro
  • iPhone SE
  • Samsung Galaxy S20+
  • Samsung Galaxy S20 Ultra
  • Google Pixel 4
  • OnePlus 8
  • OnePlus 8 Pro
  • Huawei Mate 30 Pro
  • Huawei Mate P40 Pro
  • LG V60 ThinQ
  • Xiaomi Mi 10 Pro
  • Oppo Reno3 Pro
  • Oppo Reno3 Pro 5G

Like all of Anandtech’s articles, it is thorough. They cover HDR, low-light, wide-angle vs. macro secondary lenses. It’s a really great resource if you’re looking for the ultimate in still-camera comparisons.

Read the whole thing here.