October 2021 Tech and Security Roundup

Thankfully this was a (relatively) quiet month for WordPress vulnerabilities, but lots of Google and Apple news, the release of Windows 11 (yay?), an FTC investigation into ISP data harvesting (it’s bad), and how a single right-click is considered hacking by one governor.

WordPress

Only four big plugin vulnerabilities have been disclosed this month.

As always, make sure you’re keeping your site up-to-date. This is the easiest way to keep it safe and secure. If you need help, I have WordPress Maintenance plans that can keep your site safe, secure, and backed up.

  • Sassy Social Share Plugin: This plugin has over 100,000 installations and a serious vulnerability that was patched late last month. The vulnerability was a PHP Object Injection vulnerability, which would allow anyone with subscriber-level access to achieve remote code execution. With this privilege, anyone with this access (which is the most basic access for any site with open registration) could take over a vulnerable site. The updated version is 3.3.24.
  • Brizy Page Builder Plugin: This plugin – which is installed on around 90,000 sites – had multiple vulnerabilities disclosed (and patched) last month. Multiple vulnerabilities were serious and would allow an attacker to either add malicious JavaScript to any page or upload files that could lead to remote code execution either on the server or on the user’s computers (if they downloaded and ran the files). The patched version is 2.3.12.
  • Access Demo Importer Plugin: This plugin has a smaller install base than the other two listed above, with only around 20,000 installations. An error in the implementation of an “import” function would allow an attacker with only subscriber-level access the ability to upload and install a malicious file to the server, which could be taken over. The patched version is 1.0.7.
  • Hashthemes Demo Importer: Another theme importer plugin, this one has an installation base of about 8,000 sites. The vulnerability in this plugin would allow a user with subscriber-level access to reset the entire site. This reset would permanently delete almost all content as well as uploaded media. The patched version is 1.1.2.

Apple

Security

Apple has not done a great job with security researchers over this past month.

A security researcher named Denis Tokarev reported four iOS exploits to Apple between March and May of 2021. In July, Apple fixed one of the reported vulnerabilities but failed to give credit to Tokarev. According to a Bleeping Computer report, Tokarev was told that the failure to give credit was an oversight. Earlier this month, Apple fixed a second one (in iOS 15.0.2), but again Apple failed to credit Tokarev.

Since Apple has only fixed two of the four properly disclosed vulnerabilities, and Apple has repeatedly resisted giving credit where it’s due, Tokarev has released all four exploits publicly. In Apple’s failure to fix the bugs or give proper credit, they have shown either incompetence, arrogance, or both.

Of course, after Tokarev publicly released all four vulnerabilities, Apple reached out to Tokarev. For a company that prides itself on security privacy, this is a very dangerous failure of internal systems (or people).

Security researchers are discovering vulnerabilities every day. And whenever a new one is discovered the security researchers have a choice – give it to the vendor to fix (and receive credit and a bug bounty reward) or sell it to the bad guys to the highest bidder.

While bug bounties can be fairly large, they are often smaller than a vulnerability could fetch on the black market. If security researchers see that getting proper credit and a payout from Apple is a hassle, they may decide to take the easier route and just sell straight to the bad guys.

New Stuff!

Several new things were announced at Apple’s event in late October.

The biggest thing – the new MacBook Pros!

There are two different sizes, with 14-inch and 16-inch screens, and two new processors. The M1 Pro and M1 Max. Both of these processors are iterations on the M1 processor, featuring an increased CPU core count and increasing the number of GPUs.

The M1 Pro has an 8- or 10-core CPU (2 efficiency, the rest high-performance) and 14 or 16 GPU cores. The M1 Max features the same two CPU options, with either 24 or 32 GPU cores. For reference, the regular M1 has 8 cores (4 efficiency, 4 high-performance) and an 8 core GPU. The Pro and Max also increase the maximum allowable amount of RAM, better memory throughput, and additional I/O options over the regular M1.

Another announcement was the 3rd generation of AirPods. These are “regular” AirPods (not to be confused with the Pro model), but they look very similar to the Pro models. They also exchange the “tap” functionality with the “squeeze” functionality of the Pros, have a case similar to the Pros (with wireless and MagSafe charging), and spatial audio features. They do not have the noise cancellation or the silicon tips of the Pros, though.

One final thing announced macOS Monterey. The official release is in late October, and the new OS features Shortcuts moving to the Mac, as well as Universal Control, which will allow users to use a single keyboard to control multiple Macs or iPads.

Google

There was lots of Google/Android news this month.

Android 12 and New Pixels

Android 12 was released (sort of) this past month.

This version of Android is sure to cause some commotion since it includes a revamped user interface (called “Material You”). The new UI changes include colors that coordinate with your wallpaper, new widget features, a redesigned notification panel, and some welcome privacy controls and notifications for sensitive device features like the camera and microphone.

As of this blog post, Android 12 is “officially” released for the Pixel 5, 5a, 4, 4a, 3, and 3a. As is tradition with Android updates, when (or if) your non-Pixel device will get updated is anyone’s guess. If you have a Pixel (or Nexus) device and you don’t want to wait for the update to roll out to your device, you can install it manually by following instructions on Google’s Developer site.

The Pixel 6 was also released this month – and the spec sheet makes it look like a well-done upgrade to the Pixel 5.

The Pixel 6 comes in two flavors – a “regular” and “Pro” version.

The regular Pixel 6 has a 6.4-inch screen, Android 12, Google’s new Tensor CPU (no more Qualcomm!, two cameras, 8GB of RAM, and 128GB or 256GB of storage. This Pixel 6 Pro has a slightly larger (6.7-inch) screen with 120 hz refresh rate, the addition of a 4x telephoto camera, 12GB of RAM, and a 512GB storage option.

Like Apple’s iPhone 13, the brains of the phone – the CPU and GPU – remain the same in both the high- and low-end models. However, the price is one of the most attractive things about this new Pixel. The Pixel Pro starts at $899, while the regular Pixel 6 starts at $599.

Google’s Tensor Processor

Probably the biggest headline for this new Pixel is Google has taken a page from Apple’s playbook and developed their own SoC (system on a chip).

Android has long suffered from an update problem. Not only did it take a long time for OEMs (Samsung, HTC, LG) to ship out Android updates, but many times phones would be abandoned after only 2 or 3 years.

While some of the blame for this abandonment falls on the OEMs, much of it falls on Qualcomm – the maker of the Snapdragon SoC that powers most Android phones. If Qualcomm doesn’t provide updates to the firmware that lets the chip talk to the OS, it’s not possible to update an Android device past a certain point.

Now that Google is making their own chips, though, this may give Pixel phones (and other phones that use the Tensor SoC) a much longer useful life.

Ars Technica recently posted an interview where they talk about the new Tensor chip with the Google Silicon team that designed it. It will be very interesting to see how the chip’s performance compares with Apple’s new A15 SoC (Anandtech’s in-depth look at the A15 is fascinating).

(More) Android Malware

Despite Google’s best(?) efforts, there’s still lots of malware on Google’s own Play Store. A couple of the apps that have been making the rounds this month:

  • UltimaSMS Campaign: this malware campaign used several apps disguised as games, video and photo editors, spam call blockers, and more. This app collected the user’s phone number, and automatically subscribed them to a $40/month SMS service that the attackers got an affiliate cut from. If you think that you’ve been a victim, make sure to uninstall the app and get in touch with your mobile provider to cancel the subscription service. And don’t provide your phone number to apps that don’t need it!
  • Blender Photo Editor-Easy Photo Background Editor: This app requires the user to sign in with the Facebook credentials, which it steals and uses to log into your Facebook account and look for any stored payment information or any ad campaigns that the user may have run. This is the same strategy used by several other apps a few months ago. While the Play Store has millions of apps, since this app uses the same technique to harvest sensitive user information, it’s surprising that Google hasn’t taken it down.

The biggest lesson from these – don’t assume that every app on the Play Store is safe. Make sure you use common sense and if you have any questions about an app, don’t install it.

YouTube: Malware and Podcasts

A malware campaign is using stolen Google credentials to log into a user’s Google account, create a new YouTube channel, create videos about a popular subject, and link from those videos to software that contains malware.

The videos are on a variety of popular topics: cryptocurrency, how-to guides, software cracking, video game cheats, VPN software, etc. All the videos will mention a specific software tool that is needed and then link to that tool using a Bit.ly link that disguises the actual URL. If the software is downloaded, it will scan all internet browsers and the victim’s computer for passwords, credit card and bank information, and cryptocurrency wallets.

If you’re watching a video that recommends downloading software, be very careful about clicking a disguised link (like a bit.ly link). Instead, search for the software on Google (or DuckDuckGo) and download a “clean” copy from a more trusted source.

In happier news, Google is considering adding podcast-focused features to YouTube. If this happens this would be Google’s fourth podcasting app.

Google’s podcast app history began with Google Listen, then Google Play Music Podcasts, and today we have Google Podcasts. However, Google Podcasts is part of the Google Search team and seems to be a bit of an odd fit. Since so many podcasts are already on YouTube, it makes sense for Google to try and leverage that already-created content.

Google and 2FA

Google is taking account security more seriously this year, and automatically enrolling around 150 million accounts in two-factor authentication before 2022.

While this may be confusing for some users, this is absolutely the right call. Most users are blissfully unaware of their weak or compromised passwords, and that doesn’t just weaken their accounts – it makes things more treacherous for all users, as the above YouTube story demonstrated.

Only accounts that have “proper backup mechanisms” in place will be enrolled. Those mechanisms include a phone that has a compatible Google app installed or a backup mobile device tied to the account.

If you don’t know much about 2FA, you can read my short blog article about why this feature is something you should absolutely turn on.

Microsoft

Windows 11 is OUT!

Maybe the least-wanted Windows version ever is out! Hooray?

If you’re curious what the next version of Windows is like, Ars Technica has put together a thorough review.

However, it seems like it’s hard to escape the fact that this release has been overshadowed by Microsoft’s conflicting signals:

  • Microsoft has set the system requirements for “officially supported” updates incredibly high.
  • Microsoft also says that they are committed to Windows security. But that computers updated to Windows 11 – unless they meet overly-restrictive system requirements – may not receive future security or feature updates.
  • If Microsoft does restrict updates to computers on Windows 11 that don’t meet their artificially high requirements, it’s easy to see how this plan could backfire, and make Windows 11 PCs more vulnerable.

Steve Gibson did an excellent review (scroll down to page 11) of one of the major Windows 11 sticking points – TPM 2.0 – a hardware security feature that is causing most of the grief. Part of his conclusion is harsh (but true):

…[T]here are NO NEW FEATURES in Windows 11 that require anything more of the TPM than Windows 10 already does… yet Windows 11 is refusing to run on the same TPM’s as Windows 10… apparently because someone at Microsoft thought it would be cool to enact a more restrictive change in requirements.

Given these realities, the path Microsoft should take for Windows 11 is clear: Simply use the maximum security that’s being offered by whatever, if any, TPM is present in a system…If a platform doesn’t offer TPM 2.0, then its user cannot take advantage of those four enterprise-oriented features from among the fourteen that will run on any TPM. Fine. So, explain to those enterprise users that if they want those four features they’ll need to upgrade their hardware. But don’t tell any random home or small business user, who couldn’t care less about Windows Defender System Guard and Autopilot, that they’re S.O.L. if they wish to upgrade to the new Windows…It’s going to be seen as capricious and arbitrary, because as we’ve just seen, it is.

It really seems like the Windows 11 requirements are Microsoft’s “wink and nod” to computer OEMs to try and drum up more sales for Lenovo/Dell/HP/etc.

Miscellaneous

FTC on ISP User Data Collection

A report by the FTC says that some of the countries biggest ISPs:

[C]ollect and share far more data about their customers than many consumers may expect—including access to all of their Internet traffic and real-time location data—while failing to offer consumers meaningful choices about how this data can be used”.

And that the “choice” given to users is a false one at best.

[Some ISPs P]urported to offer consumers access to their data and choices as to their use and deletion, those choices were largely illusory, and sometimes even nudged consumers toward more data sharing. This further demonstrates the importance of restricting the collection and uses of data, rather than allowing ISPs to dictate how consumers’ information is used.

The ISPs investigated were:

  • AT&T Mobility
  • Cellco Partnership (aka Verizon Wireless)
  • Charter Communications Operating
  • Comcast (aka Xfinity)
  • T-Mobile U.S.
  • Google Fiber.

Together these six companies control about 98% of the US mobile Internet market.

The report blames the repeal of Obama-era broadband privacy and net neutrality regulations which happened under previous FCC chairman Ajit Pai.

Mike Parsons May Be an Idiot

Missouri Governor Mike Parsons threatened to sue and seek civil damages from a St. Louis Post-Dispatch journalist who disclosed a security flaw on Missouri’s Department of Elementary and Secondary Education (DESE) website.

The security flaw revealed Social Security numbers of more than 100,000 teachers, education administrators, and counselors. Governor Parsons called the journalist a “hacker”.

How did the journalist discover this flaw? Did they hack inside the mainframe? Did they execute a sophisticated spear-phishing campaign against a system administrator? Nope.

They right-clicked and clicked on “View Page Source”. That’s it.

If you’re reading this and you’re from Missouri, I’m sorry that your governor seems to be a real dummy.