September 2021 Tech and Security Roundup

Although things were (relatively) quiet on the WordPress front, lots of news from Apple, Google, Microsoft, and Facebook kept this month interesting!

WordPress

This month vulnerabilities were uncovered in a couple of plugins. While one has a moderate install base of around 80,000, the other has a massive base of over a million installations!

The Gutenberg Template Library & Redux Framework is a plugin that allows a user to create different page layouts and templates within the default Gutenberg editor. This is a very popular plugin, having been installed on over 1 million sites. The plugin contained a couple of vulnerabilities – one allowing a user with lower permissions than an administrator to install and activate plugins and delete arbitrary pages. The second vulnerability allowed any website visitor to access certain sensitive information about a website’s configuration. The fully patched version is 4.2.13 and should be updated immediately.

The Nested Pages plugin allows you to easily alter your website’s structure and menu. This plugin had a vulnerability that could be exploited by a cross-site forgery request. This would involve tricking a signed-in administrator to perform a specific action. This action could cause the administrator to (unintentionally) delete, unpublish, or reassign pages to another admin. The patched version is 3.1.16.

Apple

This was a big month for Apple – both in terms of new products, software, and security!

2021 iPhones, iPad, Watch, iOS 15

In this month’s Apple “California Streaming” event, they announced several new products and upgrades to existing products.

  • iPhone 13 Mini
  • iPhone 13
  • iPhone 13 Pro
  • iPhone 13 Pro Max
  • Apple Watch 7
  • iPad Mini
  • iPad

The new iPhones are, of course, an upgrade, although it seems like the upgrade this year was more focused on battery life and camera performance rather than faster processors or a new design.

The new Apple Watch includes a screen size increase, a bezel decrease, and improvements to charging speed. It’s interesting to note that Apple didn’t mention anything about a newer processor – presumably, these are still using the same internals as the Series 6.

The iPad Mini is a surprising announcement – especially given its configuration. It seems to be positioned as a “small iPad Air”, rather than a smaller “standard iPad”. This gives it a screen size increase (8.3 inches), the A15 chip, Touch ID on the power button, and Apple Pencil 2 compatibility. The “standard” iPad got a small bump in speed with the A13 chip (noticeably not the fastest one available) and an increase in base storage size (64 GB).

iOS 15 was also announced. Like the iPhone and Watch this year, iOS 15 was building on the big changes that took place last year (mainly widgets). Maybe the biggest feature upgrades in iOS 15 are “Focus” modes – an expansion of the “DND While Driving” and “Sleep” modes that allow you to customize the different people and apps that can break through your Focus blockade.

Developer Relations

While Apple’s lawsuit with Epic has seemed to be resolved in Apple’s favor (the App Store does not violate antitrust laws), Epic did manage one victory – Apple has to open up payment options for apps on the App Store.

According to the injunction, Apple must allow apps to link to alternative (non-Apple) payment options within their apps. Additionally, Apple can not stop app makers from communicating with customers outside of their apps to mention alternative payment options. Email address collection must be voluntary, of course, and app users can opt-out of receiving these kinds of emails if they want to.

Security Patches

Another patch for all Apple devices was released this month. Like always, it’s strongly recommended that users upgrade their devices as soon as possible.

This patch fixes two zero-day vulnerabilities that have been actively exploited in the wild. One of these vulnerabilities has been used by the NSO Group to install their Pegasus spyware. Make sure you update all your iOS, iPadOS, and Mac devices ASAP!

Google

Chrome

A Chrome update this month (Chrome version 93.0.4577.82) has included patches for several security vulnerabilities, including two zero-day vulnerabilities.

These two zero-days bring Google’s zero-day patches for 2021 up to 10.

As always, it’s pretty simple to make sure your Chrome is up-to-date. If you haven’t restarted Chrome recently, simply go to the Chrome menu → Help → About Google Chrome. That should kickstart a check for updates, and once it finds and downloads it, simply restart Chrome.

Android

It looks like Android 12 is due out in a couple of weeks.

According to some internal sources, it looks like October 4th will be when Google will unveil its newest Android version. This is going to be quite a change over Android 11, too, with a big UI change as well as under-the-hood changes to try and improve the upgrade situation across Android devices.

Pixel Devices

If you have a Pixel 3A that won’t boot and will only show an “Emergency Download (EDL) Mode”, there’s good news and bad news. The good news is that you’re not alone – the bad news is that there doesn’t appear to be any sort of a fix. While the specific symptoms that users report vary, it looks like this is not a software issue. Your only solution is a new device.

Since the Pixel 3A had a two-year warranty and was released in 2018, many of them are out of warranty. This is disturbingly similar to the issues that plagued the Nexus 5X and Nexus 6P. These hardware issues (and Google’s inability or unwillingness to fix them) eventually drove me away from Android phones. I thought that moving the phones to the Pixel team – which is Google’s “high-end” hardware division – would get rid of these issues, but apparently not.

If you’re in the market for a new Android phone, though, it looks like the new Pixel 5A is actually a pretty good choice.

This is Google’s newest “budget” phone, and it actually seems to be a good value. You do miss out on some things (no speedy or wireless charging, a 60hz screen, not the fastest processor, overheating while recording 4k video), but overall the phone provides a good value, great battery life, updates for 3 years, and the same (great) camera that has been on prior Pixel phones.

Antitrust

Just like Apple and Facebook, Google has come under lots of antitrust scrutinies in the past few months.

A case in Turkey mentions one of the biggest subtle ways in which Google is capturing more traffic to boost its own ad revenue. I talked about it a bit about a year ago but essentially Google is pushing down organic results (links to other sites providing the information you searched for) and giving the top results to its own services (and ads).

The Turkey case is interesting since Google could either create a solution that gives organic content a higher page placement (a solution which could be demanded by other countries) or pull out of providing Google Map results in Turkey completely (which would remove them from a relatively large market).

Microsoft

Windows Patch Tuesday

This past Patch Tuesday (the second Tuesday of every month), included a modest 60 security vulnerabilities patched, but since 2 of them were actively exploited zero-days, it’s recommended that users patch immediately (if you haven’t done so already).

One of the zero-days allowed an attacker to take over your system with a simple exploit in a maliciously crafted Office document. Office apparently still uses components from the recently-depreciated Internet Explorer (because of course it does), and those are subject to attack in an Office document.

As usual, though, updating isn’t without its excitement. In some systems, these updates are breaking network printing. This isn’t exactly a surprise, given that a major vulnerability in Windows for the past several months has been through very permissive printing functionality.

Apparently, if you want a secure operating system AND you want to print, you’re asking for just too much.

Windows 11

Good news, though!

Windows 11 is only a couple of weeks away – releasing on October 5!

Of course, you’ll have to make sure your computer will run Windows 11 – those rounded corners don’t come cheap, after all!

Facebook

Out of Control

While I’m not a fan of Facebook, I did think they were competent. It turns out that my underlying assumption may have been incorrect.

A string of reports in the Wall Street Journal this week shows a company that is barely holding it together.

  • There’s “XCheck” – which allows certain accounts (5.8 million of them) to post whatever they want – bypassing moderation and allowing them to violate Facebook’s rules with no consequences.
  • Facebook’s own algorithms pushed troll farm content – content expressly designed to manipulate users – onto 40% of US Facebook users. This happened despite the 2016 election fiasco where fake users were posting (and amplifying) vast amounts of fake or manipulated content. The reason for this troll farm pushing is Facebook’s push for user “engagement”.
  • While Facebook employees are flagging accounts belonging to human traffickers and drug cartels, the company does very little about it.
  • Instagram (and Facebook) are unhealthy for many teens (especially girls), and Facebook knows it (and tries not to mention it in public).

Facebook’s response, of course, is in a nutshell, “we’re sorry and we’ll try to do better…again”.

WhatsApp Encryption

An interesting investigation by ProPublica into WhatsApp and whether the “end to end” encrypted messages are actually private.

While Facebook states that WhatsApp offers “end to end encryption”, and many users interpret that to mean that Facebook can’t see the messages in transit, Facebook also employs about 1,000 WhatsApp moderators. Their job, of course, is to flag “improper” messages.

It turns out that when a user flags a message, the message content is unencrypted and the message contents are forward to Facebook for review. In addition to the flagged message, the four most recent prior messages are also sent to Facebook. This is done without directly informing the user (of course).

While this implementation makes sense, it’s worth pointing out that even though something may be “encrypted” you still must trust the organization responsible for the encryption. If Facebook wanted to, there would be nothing stopping them from both encrypting messages on a user’s device and forwarding all messages for review.

Amazon Kindle

The Kindle is one of those devices that I use all the time, but I hardly think about it (in a good way). It simply works.

However, technology moves forward, and Amazon announced three new Kindle models this month.

  • Kindle Paperwhite – an upgrade from the previous (2018) Paperwhite. A bigger (6.8-inch) screen, faster processor, more LEDs for backlighting, and this Paperwhite gets a “warm” option for the LEDs to remove some of the bluish tint.
  • Kindle Paperwhite Signature Edition – an upgrade over the standard Paperwhite. This model has an auto-brightness sensor to control the backlighting, as well as wireless charging.
  • Kindle Paperwhite Kids Edition – This is the same as the “standard” Paperwhite but removes that ads ($20), a case, a 1-year subscription to Amazon Kids+, and an expanded 2-year warranty.

If you’ve been holding for a Kindle, these upgrades make it even more appealing. If you already have a Paperwhite, though, I’m not sure that these are worth it (unless you read a LOT).