This month brought some risky vulnerabilities in both mobile operating systems, more bad news for Stadia users and for Facebook, WiFi vulnerabilities impacting literally everything, the dangers of selling on Amazon, some interesting information about ISPs and the repeal of Net Neutrality, and more!
This month WordPress released a security patch for a small (but potentially dangerous) vulnerability in the default component that most WordPress installations use to send mail – PHPMailer.
The vulnerability wasn’t easily exploitable according to this thorough breakdown on WordFence. Essentially, several things would need to go wrong on your site for this to be exploited. However, this is now a known vulnerability, which means that attackers are now going to start looking for more effective ways to leverage this for out-of-date sites. If you have a WordPress site, make sure it’s updated!
As usual, there were also several plugin vulnerabilities disclosed. If you are running any of these on your WordPress site, make sure to update them!
- External Media: Although the userbase for this plug in is relatively small (only around 8,000 sites) this is maybe the most dangerous vulnerability patched this month. The vulnerability allowed any authenticated user (even subscriber-level users) to upload arbitrary files to any site running this plugin. Needless to say, this could end quite badly for any site running this plugin. The patched version is 1.0.34 (or higher).
- Simple 301 Redirects: Installed on over 300,000 sites, this plugin contained a few different vulnerabilities. The most dangerous of which would allow unauthenticated users to change redirect URLs and send other site visitors to malicious sites. Additional vulnerabilities allowed authenticated users to install and activate plugins without administrator’s knowledge. The patched version is 2.0.4.
- Spam protection, AntiSpam, FireWall by CleanTalk: This plugin is quite popular (used on over 100,000 sites) and a vulnerability discovered this month would allow an attacker to extract potentially-sensitive information from a WordPress site’s database. The database is where everything is kept in WordPress, including site contents, installed plugins and themes, admin and user email addresses, and all password hashes. The exploit is not particularly easy to perform, but you should make sure you’re updated to the current version (5.156) ASAP.
- WP Statistics: Used by over 600,000 sites, this plugin also contained a vulnerability that could allow anyone visiting the site to obtain specific database entries. The nature of this vulnerablity prevents it from being used to extract the contents of an entire database, but due to the highly-senstive nature of database entries, the patched version should be installed immediately. The patched version is 13.0.8.
Despite some great privacy advancements in the most recent version of iOS and iPadOS, Apple has not had a great month from a security perspective.
To make this brief – if you’ve got any sort of Apple device, update it now!
The two iOS and iPadOS vulnerabilities both occur in WebKit, and could result in arbitrary code execution on a targeted device. Since these two exploits are zero-day vulnerabilities, it means that they are actively exploited in the wild. That means users should update their iOS and iPadOS devices to 14.5.1 ASAP.
The newest zero-day vulnerability in MacOS is also troubling – since it allowed hackers to take screenshots without user’s knowledge or permission – but since it relied on infected Xcode projects, it’s unlikely to impact a normal user.
If you’re interested in some of the more technical details, you can read about all the vulnerabilities here.
iOS isn’t the only mobile operating system with dangerous exploits discovered this month.
A collection of four Android vulnerabilities – two in Qualcomm’s Snapdragon CPU and two in the Mali GPU driver – would allow an attacker to completely take over an infected device.
The good news here is that this attack is apparently quite complex – making it more likely to be sponsored by a nation-state and targeting only certain individuals. Google’s own Android devices will receive patches for these vulnerabilities in this month’s security update – hopefully other Android manufacturers follow suit quickly.
Other Google News
A new version of Google Chrome is out (Chrome 91), and while it only includes one “major” new feature (copy and pasting files into email attachements), it does feature a host of bug and security improvements. If you’re using Chrome, make sure you restart it sometime in the next day or few to get the newest version.
I mentioned back in February about the shutdown of Google’s in-house Stadia game studio (Stadia Games and Entertainment) and the departure of Jade Raymond. Well, it looks like another shoe has dropped with John Justice, vice president and product head of Stadia, leaving this month. A report by Bloomberg from February shows that even with the pandemic, Google’s Stadia service missed the internal sales goals by hundreds of thousands. I can’t imagine it’s long until Google pulls the plug on yet another service.
But don’t worry, because Google has a new operating system! The Google Nest Hub now runs on Fuschia. Currently, nothing is changing with the Google Nest Hub’s functionality. If it feels odd to you that a new operating system launches a week after a Google Developer’s conference and yet receives no announcement or even mention during that conference, welcome to Google!
Thankfully, it’s been a (relatively) quiet month for Microsoft!
Windows 10X – the ChromeOS-like, lightweight operating system – has had its development paused. Some of 10X’s features, including a new app container system and voice typing features, will be migrated into Windows 10. It’s unclear if Windows 10X will ever be released.
A potentially dangerous vulnerability was introduced into last years Windows 10 2004/20H2 feature update. The vulnerability is fixed in this month’s Patch Tuesday, so if you haven’t installed that update, make sure that you do!
The May Patch Tuesday also includes a new Windows feature, called “News and Interests”. While some people are likely to enjoy this feature, if you want to disable it, BleepingComputer has you covered.
Unlike Microsoft, it doesn’t seem like Facebook had a particularly easy month.
First, Facebook tried to “pass the buck” on former-President Trump’s indefinite ban over to Facebook’s quasi-independent Oversight Board. The board was having none of it, though, and essentially passed the buck back to Facebook. In a statement, the Oversight Board said “[I]t was not appropriate for Facebook to impose the indeterminate and standardless penalty of indefinite suspension…Facebook’s normal penalties include removing the violating content, imposing a time-bound period of suspension, or permanently disabling the page and account.” Basically – either give a firm end date to the suspension, or permanently delete his account.
In a related story, Florida has passed a bill that would make it illegal for social media companies to “deplatform” political candidates and news organizations. Interestingly, the law creates a carve-out for tech companies that own theme parks (like Disney and Comcast (which owns Universal)). This law is scheduled to go into effect on July 1, but it’s surely going to be challenged in court.
Additionally, like I mentioned earlier this month, it looks like the number of iOS users that are taking advantage of iOS’s new cross-app tracking restriction is quite high. After about a month it looks like the world-wide opt-in rate for cross-app tracking is around 14%, while the US is around 6%. It’s almost like user’s who have an informed choice don’t want to be tracked.
Last year (almost exactly) I mentioned that one of the biggest dangers facing Amazon merchants was Amazon itself. Amazon collects a lot of data on what people buy (and when), and since they’ve started creating their own products, there’s a very real conflict between Amazon as a platform and Amazon as a manufacturer.
It looks like my fear wasn’t entirely misplaced, since poor security practices gave over 4,000 Amazon employees access to private seller data.
I said it last May, and I’ll say it again: if you’re selling a physical product, it (literally) pays to get off of Amazon. Shopify, WooCommerce, WordPress, eBay, etc. are all better options. Quite simply, if your product is on Amazon, then you also will eventually be competing with Amazon.
Some interesting vulnerabilities were disclosed this month that impacts all WiFi devices released since WiFi became a “thing” back in 1997.
The bad news is obvious. The vulnerabilities are widespread and include both mistakes in the WiFi specification itself or in the implementation of the WiFi on specific devices. According to the security researcher who discovered these vulnerabilities “every WiFi product is affected by at least one vulnerability, and most products are affected by several” (emphasis mine).
These vulnerabilities (collectively known as FragAttacks) would allow an attacker to introduce additional malicious data into a WiFi device (and network). However, they would not allow an attacker to extract any data from the network. Getting into a network could lead to additional exploits being used (or a device takeover) of course.
The small bit of good news is that although these vulnerabilities are widespread, since they involve WiFi, an attacker must be (and stay) within WiFi range while performing the exploit.
Additionally, many vendors have released patches to correct some of the implementation mistakes made in their products. It’s worthing point out that some products (old Android phones, cheap IoT products) will never be patched – and can thus never be considered secure.
An additional mitigation that users can take is by making sure to visit only sites that use HTTPS. I mentioned a few weeks ago how HTTPS can protect your visitors, and this is just one more reason to make sure your site uses it.
Miscellanious Tech News
While Ajit Pai – the FCC Chairman under President Trump – talked a lot about how reducing regulation and repealing Net Neutrality would lower the cost of Internet for consumers, things turned out differently.
According to a report by an advocy group called Free Press, internet prices rose at about twice the rate of inflation from 2016 to 2020. All this while ISPs infrastructure investment dropped – sometimes dramatically. Comcast’s investment in 2020 was 22% lower than 2016, while AT&T’s was 52% lower over the same time period.
Speaking of the repeal of Net Neutrality: a report released this month by New York State Attorney General determined that of the 22 million comments received by the FCC about the repeal almost 18 million were fake. These fake comments were paid for by Broadband for America (BFA), which includes major ISPs (Comcast, Charter, AT&T, etc.) and other trade groups. BFA used 3rd-party vendors to conduct the misinformation campaign, apparently without the knowledge of the ISPs themselves.