Security Vulnerabilities Found in WordPress Plugin & Select Apple Devices
When you think about the most pressing threats to the digital ecosystem, your mind likely turns first to data breaches. We see the headlines about how hackers steal sensitive personal information on a daily basis, and one reason why they are able to do so is via a security vulnerability.
A security flaw is the silent threat cybercriminals hope to exploit to access valuable information, and the number of discovered vulnerabilities continues to grow. A report from Risk Based Security discovered a new high in reported security vulnerabilities in 2021 with 28,695, while a report from Google’s Project Zero found that it takes vendors an average of 52 days to fix reported flaws.
In this latest installment of BlackCloak’s Thursday Threat Update, we take a look at a pair of recently discovered vulnerabilities, one affecting a popular WordPress plugin, and another impacting select Apple devices.
WordPress takes action after finding flaws
What we know: Security researchers at Automattic found security vulnerabilities affecting UpdraftPlus, a plugin for the popular content management platform, WordPress. UpdraftPlus allows WordPress administrators to backup their installations, including databases containing user credentials, passwords, and other sensitive information. The pair of flaws could allow hackers to download the backups and obtain the sensitive data, which can later be used to commit identity theft.
Recommendations: WordPress took action and forced an automatic update to anyone who had not updated to the latest version of UpdraftPlus. Despite the assurances of this update, we recommend that all publishers double check to make sure that they are running version 1.22.3 of the plugin. If that is not the case, update your version of UpdraftPlus immediately. As passwords are among the data points that could have been at risk due to the vulnerability, it is also recommended that you update your password out of an abundance of caution.
Security chip at the center of Apple vulnerabilities
What we know: Forensic tool manufacturer Passware claims to have discovered a way to exploit security vulnerabilities in a chip found within certain Apple devices, allowing hackers to bypass the limit on password login attempts as long as they have physical access to the device. The company also offers a dictionary of 550,000 of the most commonly used passwords and a database of 10 billion additional passwords.The affected Mac machines can be found here, and mostly consists of Macbook Air and Pros released between 2018 and 2020.
Recommendations: Since hackers need to have direct access to the Apple device to exploit the vulnerability, it is crucial to know where your Apple products are located at all times. Do not let any unknown person have access to your devices, and ensure they are stored in a safe space, both when you are at home and when traveling. You could also use an Apple AirTag to keep track of your devices at all times (but it’s important to be mindful of how they are used.) As Passware is selling passwords as part of their services, make sure the passwords for your devices are long, complex, unique, and include special characters.
Even when companies take action to remediate vulnerabilities, stay vigilant
It is reassuring to know WordPress took great steps to address severe vulnerabilities, and sometimes companies will go the extra mile to ensure you are protected. However, there may be occasions when a pending update is sitting in your device settings and you don’t know it yet, and it contains a patch needed to address a different flaw. Thus It is vital to stay up-to-date on all your app and device updates. so to protect yourself against any cyberattacks exploiting trending vulnerabilities.