By the time Microsoft warned customers of a nasty security hole in its web browser last week, a sophisticated group of attackers were already using the vulnerability against defense and energy companies, according to FireEye, the security company.
Things went from bad to worse over the weekend. FireEye’s researchers watched as the attackers shared their exploit with a separate attack group, which began using the vulnerability to target companies in the financial services industry, according to Darien Kindlund, the director of threat intelligence at FireEye.
Even after Microsoft issued its advisory on Saturday, Mr. Kindlund said, “There was a notable increase in proliferation.”
Soon, the attackers were using the vulnerability for so-called watering hole attacks, in which hackers infect a popular website with malware, then wait for victims to click to the site and infect their computers.
Mr. Kindlund said FireEye believed the two attack groups were nation-state sponsored. While he said the company did not yet have conclusive evidence, based on the groups’ previous campaigns it was believed they were operating from China.
The vulnerability affected all versions of Microsoft’s Internet Explorer web browser. Only those who had configured their browsers to run in enhanced protection mode were protected.
The situation took on added urgency because Microsoft stopped supporting its Windows XP operating system last month, meaning that any devices running Windows XP would be permanently vulnerable to attack.
Typically in its regular upgrade cycle, Microsoft waits to issue security fixes on the first Tuesday of every month — what system administrators call “Patch Tuesday.” But given the gravity of the hole, Microsoft raced to issue a patch Thursday and decided to update Windows XP systems as well.
“The security of our products is something we take incredibly seriously,” Adrienne Hall, the general manager of Microsoft’s Trustworthy Computing project, said in a statement on Thursday. “When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all customers.”
The timing of FireEye’s discovery was fortuitous for the company, whose stock has tumbled 40 percent since a finding last month by NSS Labs, an independent research company, that FireEye’s breach-detection systems underperformed similar offerings by Cisco Systems, Trend Micro and General Dynamics. NSS Labs actually issued a grade of “caution” to customers using FireEye’s web and email malware protection systems.
The findings set off an unusual back-and-forth online between NSS Labs and FireEye. Responding to the report in a blog post, Manish Gupta, FireEye’s senior vice president for products, said NSS Labs’ test environment did not match the real threat landscape. NSS Labs’ researchers responded in a blog post of their own — titled “Don’t Shoot the Messenger.”
FireEye’s stock, which had been trading at $65 before the NSS Labs report was released, has been tumbling and closed near $40 Thursday.
Mr. Kindlund, of FireEye, said this week’s discovery of the security hole in Internet Explorer was proof that isolated tests did not reflect real-world threats. A separate finding by NSS Labs released in March had found that Internet Explorer was more secure than Google’s Chrome and Apple’s Safari browser.
“Look, we’re focused on protecting and defending against real-world attacks,” Mr. Kindlund said. “It’s hard to model and test for that in any controlled way. Clearly, there’s a disconnect between what’s happening in the real world and what’s currently being tested.”
© The New York Times 2014