March was quite an active month, technology-wise.
Microsoft has two huge problems on its hands – an Exchange vulnerability (that they knew about) led to the compromise of thousands of email servers and a Windows update causes major printer headaches.
A WordPress plugin (with millions of installations) has a major cross-site scripting vulnerability.
Google finishes off its VR business and finally updates iOS apps. It also is target of a class-action lawsuit involving Chrome’s incognito more.
The FCC wants to hear how bad your internet is, and AT&T whines about not being able to be anti-competitive.
- Microsoft Exchange Hack
- Microsoft Windows 10 Printing
- Google Chrome, VR, and iOS apps
- Firefox 78 Privacy Features
- Apple’s Class-Action Lawsuit
- FCC Wants to Know About Your Internet
- AT&T Wishes It Could Discriminate (Data) More
- T-Mobile Will Sell Your Data in April (Unless You Say No)
There were a few critical security vulnerabilities discovered in WordPress plugins this month, including a 0-day vulnerability and a major vulnerability in Elementor – a site builder with over 7 million installations.
One other bit of WordPress-related news, WordPress is planning on dropping support for Internet Explorer 11. If you’re using IE 11, you really shouldn’t be, since even Microsoft doesn’t think Internet Explorer is a web browser.
Here are the major plugin vulnerabilities for this month:
- Elementor: With over 7 million installations, this cross-site scripting vulnerability is a major issue. The vulnerability would allow any user with access to the Elementor interface to inject code that could be run with increased permissions when viewed by an administrator. Make sure you’re running version 3.1.4 or later for the patch.
- The Plus Addon for Elementor: This is an add-on for the above-mentioned Elementor plugin, and it had a major 0-day vulnerability discovered this month. Remember that a 0-day is an exploit that is active in the wild when it’s discovered. As such, it’s imperative to update immediately. The vulnerability allows unauthenticated users to create new administrator accounts and login as already-created administrators. The patched version is 4.1.7 – update now!
- WooCommerce Upload Files: Another 0-day discovered this month (note: this is not the main WooCommerce plugin, this is a separate add-on). This vulnerability would allow an attacker to upload a malicious PHP file to a website, which could allow site takeover (and could potentially impact different websites on the same server). Since this plugin is used on WooCommerce sites, this could expose lots of sensitive user information. The patched version is 59.4.
- Tutor LMS: Tutor LMS is a plugin designed to make it easy for site owners to create and sell plugins, and is installed on about 20,000 WordPress sites.. Several different vulnerabilities in this plugin allowed attackers a wide range of openings. From stealing sensitive information from the site’s database (like confidential information or user login credentials) to modifying course settings. If you’re using this plugin, make sure you update to 1.8.3 as soon as possible.
Like I say every month, one of the most important things to do for your WordPress site is to keep it up-to-date. If your business has a website (and you should), then it needs to be secure, which means it needs to be up-to-date.
To say it’s been a rough month for Microsoft would be a massive understatement.
It all started in December 2020, when two vulnerabilities (named ProxyLogon) were found that enabled an attacker to bypass authentication and break into an Exchange email server. If that wasn’t bad enough, attackers could also execute any code on that machine (essentially taking over the entire server).
The vulnerability’s reach was also massive – it was present in version of Exchange going back over a decade: Microsoft Exchange Server 2010, 2013, 2016, and 2019 were all vulnerable. According to Microsoft, there were at least 400,000 servers vulnerable to this exploit chain.
On January 5, 2021, the researcher reported these vulnerabilities to Microsoft, who acknowledged that the vulnerabilities were severe and did what the researcher claimed.
Around the same time (late January/early February), two additional, unrelated researchers found the same vulnerability chain and reported its active use in the wild to Microsoft. At this point, Microsoft knows of a massive vulnerability in Exchange emails servers that not only endangers email, but also could lead to server takeover.
And Microsoft did nothing.
It wasn’t until February 18 when Microsoft told the original security researcher that the patch would be released in two weeks – on March 9. This is over two months after the initial reporting – all while knowing this vulnerability was under active attack in the wild.
Once word got out (somehow) that Microsoft would be patching this vulnerability, the attackers (who were being cautious and discrete before) threw open the doors and essentially attempted to break into every vulnerable Exchange server before the patch was released.
This caused Microsoft to release the patch a week earlier than intended, but many servers that were not immediately updated were likely compromised. It wasn’t just emails that were stolen, either. Many attacks left behind “web shells” – applications that allow an attacker to remotely control the server whenever they desire – so these servers may be compromised without the users being aware.
Right now at least 10 nation-state-based hacking groups are using this exploit to compromise Exchange servers from around the world.
Even more troubling, as of mid-March (or two weeks since Microsoft released the Exchange patches) it looked like there were between 80-100 thousand Exchange servers that had not been patched. It’s safe to say that many or all of these servers are likely compromised.
When you consider the amount of sensitive information that was likely stolen, and the fact that attackers may have permanent access on some servers, the fallout from this will likely not be known for a long time.
Fun with (Windows) Updates
As if that wasn’t enough for Microsoft, one of the patches released during the March 9 Patch Tuesday caused Windows 10 to crash when printing.
The good news is that Microsoft released a patch to fix this problem on March 15, although it looks like there are still some other issues with printing from Windows 10 (and Windows 8 and 7).
I’m not sure what Microsoft is doing these days, but they either need to do it better or do something very different.
Google fixed two actively exploited 0-days in its Chrome browser this month, as well as a wide selection of other security vulnerabilities. As always, if you haven’t let Chrome restart and automatically update itself, now is a good time to do that!
In other Chrome news, an interesting class-action lawsuit involving Chrome browser and its Incognito private-browsing mode was given the green light to proceed this month. The lawsuit claims Chrome’s Incognito mode should also stop Google’s server-side tracking, since Google claims that users can avoid Google tracking by engaging this feature. Although Chrome does have a short explainer on an Incognito browser window that explains what the mode does (and doesn’t) do, that was not enough of a reason for the judge to dismiss the case.
More Google Hardware Bites the Dust
Google’s first foray into VR – Google Cardboard – is dead. Although, thankfully they have open-sourced the project, so it may live on.
This was Google’s first attempt at VR, and it was a surprise hit when it was unveiled at Android I/O in 2015.
Fittingly, it was also the last of Google’s VR products.
iOS Apps (Finally) Updated
Like I mentioned last month, Google’s iOS apps went a long time without an update, starting right around the time Apple required apps to apply “Privacy Labels” on their app store listings.
Well, the good news is that drought has ended, and several of Google’s apps have been recently updated.
The bad news is that as bad as you thought the tracking would be for Google’s apps, it’s probably worse.
DuckDuckGo – a privacy-focused search engine – wasted no time in pointing out just how much information Google has and shares:
After months of stalling, Google finally revealed how much personal data they collect in Chrome and the Google app. No wonder they wanted to hide it.— DuckDuckGo (@DuckDuckGo) March 15, 2021
Spying on users has nothing to do with building a great web browser or search engine. We would know (our app is both in one). pic.twitter.com/lJBbLTjMuu
A new version of Firefox (one of my favorite browsers) was released this month, and it has a few notable enhancements for privacy-conscious browsers.
A new feature called SmartBlock not only blocks 3rd-party tracking scripts (which Firefox has done for a while), but it also provides dummy tracking scripts to try and correct website errors which may have happened due to script blocking.
Additionally, a stricter default Referrer Policy when navigating across different domains. For example, when you enter a search into Google, you can see in the address bar:
If you clicked on a link from that search results page, that website may be able to see your entire referrer header (which would include the search terms you used in Google). The new, stricter referrer policy would simply include the base URL (without the search terms), so the website you click would only see:
It’s not just Google that got some bad legal news this month.
A judge has also allowed a class-action lawsuit to go forward against Apple, regarding the infamous “butterfly keyboards” that were on MacBooks from 2016-2019.
There were lots of problems with these keyboards, and it’s good that Apple moved away from them, but not quite fast enough, it seems.
FCC Wants to Hear About Crappy Internet
After years of inaction, the FCC is finally starting the process to figure out just how bad America’s broadband access and infrastructure are.
To that end, an announcement by the FCC earlier this month requests that consumers let them know what sort of internet-access challenges they have faced over the years.
Anyone who wants to share their broadband experiences can use this form to share it with the FCC. The FCC is hoping to use this information and these entries to find underserved areas and find out about broadband availability and quality in areas that do have access.
AT&T Wants to Be Anticompetitive (Again)
A new California law bans selective “zero-rating” of data from specific apps in a category. In this case, AT&T exempted HBO Max video from its mobile data caps, but not other video services (Netflix, Disney+, etc). So AT&T could exempt all video services from the data cap if they wanted to (that’s how T-Mobile handles this).
It’s worth noting that AT&T owns HBO Max.
T-Mobile Will Sell Your Data (Unless You Say No)
If you use T-Mobile, they are getting ready to sell your web-browsing, installed apps, and device usage data to 3rd-party advertisers, unless you manually opt-out.
T-Mobile says that the data will be anonymous, using an “Advertising ID” instead of a customer name, but since those IDs are tied to an individual device, it likely would not be too difficult to de-obfuscate that information and tie it to an individual consumer.
The date for this data sale is April 26, 2021, so make sure you opt-out if this isn’t something you want.
You can find instructions to opt-out here. Look under the first “Here’s What You Can Do” section.