I hadn’t mentioned the Google/China drama because pretty much everyone else has, but new details have emerged on this topic in regards to an IE 0day exploit in the wild. Both Brian (“How-Many-Bloggers-Can-Say-They-Have-Sources?”) Krebs and The H Security have good posts on it, and both link to Microsoft’s new advisory on the problem.
The H Security has an interesting comment:
The advisory states that, while the hole affects versions 6, 7 and 8, the current attacks only appear to have targeted version 6 – which raises a question as to how current the affected companies’ software inventory is.
Indeed. They also mention what is becoming the attack method du jour:
The attackers apparently used the flaw to inject a trojan downloader into compromised computers. The downloader then proceeded to retrieve further modules, including a back door that gave the attackers remote access to the computer, from a server via an SSL-encrypted connection. Links to the crafted web pages were likely sent in emails to selected employees of the targeted firms.
Outbound SSL-encrypted connection. Take that firewall egress filters! This gets back to how prevention eventually fails, and you’re down to relying on your layers of defense to detect the issue and respond appropriately (unless you aggressively whitelist, I guess). And while we often pass off 0days as exotic and not a threat, tell that to the high-profile targets that just got hit. And we all know that once high-profile targets don’t look as juicy anymore, attackers will go after their partners, vendors, providers, contractors, and smaller shops that have far less ability to prevent and detect these attacks.