All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Editor's note: This story has been updated with a link to a Microsoft advisory about the new vulnerability as well as a Microsoft blog post discussing ways for users to reduce their risk of attack.
The recent hack attack on Google, Adobe and other companies occurred through exploitation of a zero-day vulnerability that affects many versions of Internet Explorer, according to Microsoft and a security researcher with a leading anti-virus firm.
Microsoft learned about the vulnerability only Wednesday evening, said the researcher, who asked not to be identified because he's not authorized to speak with the press.
Update: Microsoft has posted an advisory about the new vulnerability and issued a statement confirming that hackers breached Google and other unspecified companies using it.
The company indicated the flaw does not affect IE version 5.01 with service pack 4 and is difficult to exploit in other versions. The company also has so far not seen widespread attacks using the flaw, "only targeted and limited attacks exploiting IE6."
There is no existing patch for the memory-corruption flaw that causes the browser to internally misfire in a way that allows the hacker to inject malware onto the user's computer.
"It's pretty targeted so the reality is that it's only currently being used against these targeted companies," the researcher said. He couldn't say how many of the other 33 companies hit in the hack attack were breached in this way.
In a blog post published last Thursday, Microsoft provided suggestions for users on how they can mitigate their vulnerability until a patch can be released.
Zero-day vulnerabilities are software security flaws for which there is currently no patch. Researchers discovered a memory-corruption flaw in IE in December, which Microsoft patched on Dec. 9. The researcher, however, said the one that affected Adobe is new.
Google announced Tuesday that it had been the target of a "highly sophisticated" and coordinated hack attack against its corporate network. It said the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists. The attack had originated from China, the company said.
Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it also had been the target of a "sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies."
Neither Google nor Adobe provided details about how the hacks occurred.
Threat Level reported Tuesday that at least 34 companies were breached, some of them through a malicious PDF e-mail attachment that exploited a zero-day vulnerability in Adobe's Reader and Acrobat applications. Through that vulnerability, the hackers were able to install a Trojan program called Trojan.Hydraq on the user's computer to siphon credentials and other data to gain further entry into the company's network, according to security firm iDefense.
The hackers targeted the companies' source-code repositories, iDefense said, and succeeded in many case in accessing those files. The hackers then transmitted stolen data to servers in the United States maintained by Rackspace before siphoning them to IP addresses in Taiwan.
The anti-virus researcher doesn't know the specifics about how Adobe was attacked but says the Hydraq trojan is the same malware that Adobe found on its systems, and it was delivered through the IE vulnerability. His company has been working closely with Adobe to investigate the attack and received samples of the malware to examine.
He said Adobe employees were likely targeted in a spear-phishing attack. This occurs when hackers send targeted e-mails to recipients that contain links to malicious websites that exploit a browser vulnerability.
When an Adobe employee visited such a site, the Hydraq trojan was loaded automatically to their computer.
The researcher said he doesn't know what the hackers were able to access inside Adobe's network once they were inside.
Adobe has not responded to requests from Threat Level for comment.
Adobe announced in mid-December that a new zero-day vulnerability in its Reader and Acrobat programs was being actively targeted by attackers. The company made the announcement after security researchers not affiliated with Adobe discovered attacks being conducted against the vulnerability. Adobe patched the critical vulnerability only on Tuesday, the day it and Google announced they had been hacked.
Anti-virus firm McAfee has published a blog post confirming that a previously undisclosed vulnerability in IE was used to hack into several of the targeted companies. The attacks have been dubbed "Operation Aurora," believed to be the name the hackers gave their attack. A McAfee spokesman told Threat Level that the company's researchers had been working with a number of companies that were targeted in the attack since last week, prior to Google's announcement.
The McAfee blog post, written by George Kurtz, McAfee's chief technology officer, indicates that the IE vulnerability may be just one of many attack routes the hackers used and that the attacks signify a wind change in cyberespionage. He notes that the attacks, which occurred over the Christmas and New Year holidays, were timed to hit during a period when companies would be least likely to detect them.
"The current bumper crop of malware is very sophisticated, highly targeted, and designed to infect, conceal access, siphon data or, even worse, modify data without detection," Kurtz writes. "These highly customized attacks known as 'advanced persistent threats' (APT) were primarily seen by governments and the mere mention of them strikes fear in any cyberwarrior. They are in fact the equivalent of the modern drone on the battle field. With pinpoint accuracy they deliver their deadly payload and once discovered -- it is too late. All I can say is wow. The world has changed."
Updated with information from McAfee blog post and from Microsoft.
Photo: Martin Kalfatovic/Flickr
See also:
