This month has some highly-used plugin vulnerabilities patched.
- WPBakery is a page creation plugin installed on over 4 million sites. A recent security flaw discovered in late July would have allowed any authenticated user (with contributor-level access or higher) to inject malicious code into posts. This exploit is fixed as of version 6.4.1, and you should upgrade to that version immediately if you haven’t already.
- A vulnerability in the Child Theme Creator by Orbisius can cause major damage if an attacker gets a site administrator to click on a specially-crafted link. With this vulnerability, an attacker could upload arbitrary files, or give themselves a backdoor into the site.
- Vulnerabilities found in the Post Grid and Team Showcase plugins (both by the same author) would allow a logged-in user (with subscriber or higher level access) the ability to add malicious code or take over a site. With other, specific plugins installed, this vulnerability could even be executed by an unauthenticated site visitor. The vulnerability is fixed in Post Grid version 2.0.73 and Team Showcase version 1.22.16.
- The Loginizer plugin, present on over 1 million sites, was patched to fix a serious and easily-exploited SQL injection vulnerability. This exploit was so severe that it actually triggered an automatic update of the plugin on most WordPress sites. Make sure you have the most recent version (1.6.4), but this was an incredibly severe vulnerability to trigger this action.
As a reminder, one of my highest-impact jobs for my web clients is my WordPress Maintenance plan. This plan keeps your site secure and backed-up, along with providing a few other perks.
Google and the DoJ
I talked a bit about the antitrust investigation into the 4 biggest US tech giants a few days ago. To my surprise, it looks like the DoJ is pursuing an antitrust case against Google.
There’s no telling what the actual outcome will be, and if the DoJ will be pursuing charges against the other three companies mentioned in the original investigation. This is certainly something to watch in the coming months (and years), though.
Google Shuts Down…
I’ve talked about the speed and randomness that Google uses to shut down its products before.
This month has been a big one for the Google Grim Reaper. Google has shut down Trusted Contacts, Google Play Music, and the Nest Secure.
While Trusted Contacts is not a surprise, the Nest Secure shutdown is.
The Nest Secure was a home alarm system that launched in 2017, and was not a cheap product. The “starter pack” cost $500 and additional sensors to monitor doors or windows (the starter pack only came with 2) cost $60 each. For customers that may have paid around $1,000, a 3-year life is probably not what they wanted.
Google Play Music is also moving along with its shutdown that was announced in August. As of October, US users of Google Play Music have lost access. User data is set to be deleted after December of this year. Google Play Music subscribers are being pushed to YouTube Music, although I don’t believe YouTube Music has all the features that were present in the (now-dead) Google Play Music service.
Malicious Chrome Extension
An adblocking extension for Chrome (and Chromium) browsers with over 300,000 active installs has been uploading browsing data and messing with user’s social media accounts..
The extensions – Nano Adblocker and Nano Defender were initially developed by a private developer, who sold the rights to the plugins when he no longer had time to maintain them. The plugins were updated earlier this month by the new owner, where malicious code was added.
The modified plugin would upload sensitive data (like session cookies) from a remotely-configurable list of sites. It’s unknown exactly which sites have data stolen, but with session cookies involved its possible for the attackers to access authenticated accounts like social media, email, or bank accounts.
The plugin also would automatically “like” images from specific Instagram accounts that weren’t followed (or accessed) by the user.
If you have this plugin installed, it should go without saying that you should uninstall it immediately. Also, this is why you should be cautious of all the plugins you install in your browser!
The Zerologon vulnerability that I briefly touched on last month is very bad and getting worse.
This vulnerability, if unpatched, allows an attacker that has limited access to a network to become an administrator. This gives them the power to create and manage accounts and access throughout the network.
Zerologon was only announced at the end of September 2020, but it has already found its way inside malware packages. It really is a nightmare for security, since it’s an easy way to acquire a permanent presence in a network.
The exploit was patched in August, but many systems remain vulnerable. This is not surprising, though, since almost every Windows 10 update introduces new problems. This month’s was no exception.
If you haven’t updated your Windows 10 machine(s), you need to do it NOW!
One other reason people are (rightfully) hesitant to update Windows: the confusing removal or relocating of features. Again, this month’s update was no exception!
In the Windows 10 20H2 update, for example, Microsoft is now redirecting users to the new “About” page instead of the classic Control Panel “System” page. The good news, there is a way to get back the original Systems page, at least for now.
Long-term, though, it’s probably better to make the move to something like Ubuntu or another Linux disto.
The iPhone 12 and iPhone 12 Pro were announced this month.
In terms of hardware, all iPhones now feature OLED (at 60Hz) displays, 5G connectivity, better cameras, and the return of MagSafe.
All iPhones also lost a couple of things – no more wired earphones or power adapter will be included in the box. While they did this in the name of “environmental savings” it also saves Apple lots of money.
Interestingly, Apple also removed these items from the box of new iPhone 11s. The price on those did not go down after their removal, though.
Warning to Hospitals
A foreboding warning to hospitals around the country. It looks like healthcare facilities are being targeted by hackers in ransomware attacks.
The joint advisory comes from several US intelligence agencies (Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS)) involved in cybersecurity operations. The advisory gives lots of technical information about the threat, including details for mitigation (step one is to keep things up-to-date!), possible attack vectors, and indicators of compromise.
If you’re at all involved in network security (or interested in how it works), you should check it out.
Dangers of the Software Supply Chain
This is more of a cautionary tale about how important the hardware and software supply chain can be for security.
A smartwatch made by Norway-based Xplora, the X4, gave a limited set of smartwatch features to young users. The X4 gives the wearer the ability to make and receive voice calls and texts (to pre-approved numbers), and send an alert (which includes location) to emergency contacts. The watch also has a camera, and can alert parents if the wearer strays out of pre-approved areas.
FYI: This watch is not for sale in the US. It’s just an interesting security story that shows a wider danger.
The X4 (which runs a modified version of Android) comes preinstalled with several apps from Qihoo 360. Quihoo is a Chinese security company that also manufactures the watch hardware for Xplora. According to a security researcher, these apps contain a backdoor that would cause the watch to report its real-time location, take and send a picture to an Xplora-controlled server, or make phone call. All these functions would happen without the wearer being notified.
This backdoor functionality is exceptionally difficult to activate, since they require knowing an encryption key (unique to each watch) and the watch’s phone number. However, the presence of this backdoor functionality underscores the dangers posed by software that can’t be easily inspected. In this case, the researchers had to “modify” the watch to find these issues.
This story is worth remembering if you’re buying an Android phone that is not from a company like Samsung or Google. There could be software in the phone that does stuff that you’re not aware of!