Let’s start with the short version. Yesterday, both Microsoft and Adobe released out-of-cycle updates to fix zero day security vulnerabilities that advanced attackers are exploiting in the wild via “watering hole” campaigns. If you use these products and haven’t installed the updates, go get the Flash and Internet Explorer (IE) fixes now!
The slightly longer story is early this week (during the U.S. President’s Day holiday) two security companies, FireEye and Websense, independently reported discovering two different legitimate web sites serving malware via a drive-by download attack. The web sites included a U.S Veteran’s site (VFW.org) and a French aeronautical company’s web site. The malicious code on these sites exploited two previously undiscovered, zero day vulnerabilities affecting Adobe Flash, and IE 9 and 10. They also delivered some relatively advanced trojan malware (in one case, Gh0strat), which has been used before in attacks that seem to come from China-based hackers. Since these sites have very specific user bases (military and ex-military, or aeronautical engineers), these attack campaigns fall into the category of watering hole attacks, where smart attackers purposely hijack web sites they know their target visits in hopes of poisoning the target’s watering hole. If you’d like to learn more about these types of attacks, and other web threats, you can check out a presentation I recently gave on the subject in a BrightTALK. You can also learn more about these specific attacks in this week’s upcoming security video.
In any case, yesterday both Microsoft and Adobe released advisories that include updates or FixIts that patch these zero day flaws. While you probably haven’t run into these exploits yet, unless you happen to fall into the two victim bases for these attacks, I expect criminal attackers to quickly start leveraging these new flaws. Now that they are public, you can expect criminal hackers to quickly incorporate the new attacks into the exploit kits they sell on the underground. Once they do, you’ll start to see these exploits popping up every where, to serve normal criminal malware. In other words, if you use IE or Flash, you should go get the updates immediately. You can find links to them in Microsoft and Adobe’s advisories. — Corey Nachreiner, CISSP (@SecAdept