Posted by Geraldine Hunt on Thu, Jan 21st, 2021
The severe Microsoft bugs found at the end of 2020 have now been fixed in the latest Microsoft security update. If you were like most people, you were probably in a hurry to get 2020 over with last month. In the process, you may have missed some security updates and notices from Microsoft that closed out the year.
Microsoft Office Security Updates Fix Critical SharePoint RCE Bugs
Microsoft released two critical updates that fix known SharePoint RCE bugs that engineers had discovered and identified as CVE-2020-17121 and CVE-2020-17118. RCE stands for Remote Code Execution. It represents a vulnerability that allows an attacker to execute malicious code or commands on a target machine. Securing a discovered RCE vulnerability is always a top priority for product vendors, as well as customers. 17121 requires a threat actor to have basic user privileges to exploit it while 17118 doesn’t require authentication at all. Microsoft’s Patch Tuesday release in December addressed both of these vulnerabilities. The bugs applied to SharePoint Server 2019, SharePoint Enterprise Server 2016, SharePoint Foundation 2013 Service Pack 1 and SharePoint Foundation 2010 Service Pack 2. Attackers that could successfully take advantage of these could in turn install malicious code as well as view, change or delete data. They could also potentially create rogue admin accounts on the compromised Windows devices.
In addition, the update release addressed seven other RCE bugs present within Office products as well. This is a perfect example of why it is so critical to manage and deploy monthly updates regularly upon release. Microsoft recommends that enterprises utilize deployment rings in order to simplify and sequence the Windows update process. The use of deployment rings allows internal IT to validate updates within a smaller subset of devices in order to ensure application compatibility before full deployment.
The Adrozek Browser Hijacker
Microsoft issued a security alert last month concerning a drive-by attack that targets Chrome, Edge and Firefox users called Adrozek. The attack has infected as many as 30,000 devices a day. The primary aim of Adrozek is to obtain total control of your browser activities in order to drive user traffic to selected sites using unauthorized ads. These ads are injected into the search results initiated by users. Essentially, they are fake ads that have nothing to do with the search queries. Because the ads show up beside legitimate ads, it makes it hard for users to discern which ads are safe and which ones aren’t. The perpetrators of these attacks then make money for traffic generated by these ads through affiliated advertising programs.
One thing unique about this attack is that it targets all of the major web browsers including Edge, Chrome and Firefox as well as less popular ones. In order to seize control of user web sessions, Adrozek manipulates browser settings in order to disable its defenses. Security controls and safe browsing are turned off and automatic updates are disabled. All of this of course increases the vulnerability of the afflicted browser, exposing it to further attacks.
If your computer becomes infected by Adrozek you can expect an increased supply of banner ads, popups and video commercials in your web sessions. At the very least, your search results may seem a little out of whack. The real threat however goes far beyond mere ads. Microsoft reports that Adrozek also allows the attackers to monitor and steal passwords to financial websites as well as other sites that involve sensitive information. Firefox users are even more susceptible as Adrozek can also steal encrypted user credentials from a victim’s Firefox profile. Once decrypted, the credentials can be used freely by the attackers. For this reason, Microsoft advises anyone who confirms or suspects that their machine is infected to act immediately to clean their machine. This includes the re-installation of all web browsers.
How TitanHQ can Help
Adrozek is a classic example of drive-by malware, which involves the unintentional download of a virus or malicious software to an unsuspecting user. Upon visiting an infected site, the user inadvertently downloads an .exe file that deposits itself in the %temp% folder under Program Files. Adrozek then poses as a legitimate Windows service and carries out its manipulative processes.
Of course, one way to combat these malware menaces is a modern day endpoint security solution. While these tools combat the threats once they arrive, they can’t prevent users from accidentally downloading them. That’s why an internet filtering solution such as WebTitan is so important today. With advanced content filtering, malicious detection services and smart malware blocking services that target viruses, malware, ransomware, phishing and malicious sites, drive-by malware attacks don’t have to result in a dead end for your computer devices.
Chat with a member of the WebTitan team to discover how we can protect your organization in 2021. Contact WebTitan today to arrange a call.