January 21, 2010

Security Bulletin - Aurora Internet Explorer Zero-Day Attack


Aurora Internet Explorer Zero-Day Attack

As early as December 2009, emails containing links to malicious code were sent to Google, Adobe, and approximately 30 other companies.  Commonly referred to as Aurora, the attack leveraged a previously unknown Internet Explorer vulnerability and the attack is ongoing.  Aurora was designed to evade traditional anti-virus and Web reputation defenses to gain access to company assets and sensitive information. As of January 21, only 25% of AV vendors tracked protect against the payload according to this VT report. Websense® Security Labs™ has published important information – available below – regarding this threat.

What You Should Know

Websense provided its customers with zero day protection from this attack before it began in December.  Aurora, and a growing number of similar Web-based threats, highlight the need for Websense Web, data, and email technology, which go beyond legacy security controls.  Websense provides real-time protection for previously unknown threats like Aurora as they propagate over the Web and across email, targeting sensitive data stored on systems inside and outside the corporate network, helping to prevent systems from getting infected and sensitive data from being compromised. Put simply, Websense provides the most advanced security for modern threats.


With Websense, customers receive:

  • Real-time malware protection that goes beyond anti-virus to address previously undiscovered threats like Aurora on-the-fly, when they are first introduced.
  • Advanced content security that spans Web, email and other channels to intelligently scan data coming in and out for legacy threats, exploits, script-based attacks, and data loss.
  • Comprehensive protection for users at the corporate office, branch office, and who are mobile to carry security across the entire enterprise. 

More Information on Aurora



The Aurora attacks are examples of what are being referred to as Advanced Persistent Threats (APT), described well by TaoSecurity in three simple points. In brief:

  • Advanced means the adversary can operate in the full spectrum of computer intrusion.
  • Persistent means the adversary is formally tasked to accomplish a mission.
  • Threat means the adversary is not a piece of mindless code.

The impact of these advanced attacks on the targeted organization can be severe and difficult to defend against. In this case, the attacks used complex exploit code delivered on websites. Vulnerable hosts were affected when they simply connected to the site. Post-infection, additional malicious code is downloaded, data is captured and the sent to remote websites.

Websense has been at the forefront of identifying and protecting our customers from zero-day exploits in the wild for several years.  We expect that the number of attacks of this type will grow with time.  We are now seeing other attackers use the Aurora zero-day exploit to infect vulnerable hosts. Since the code is now publicly available, we expect the next wave of attacks to come from cybercriminals whose techniques are equally sophisticated, but whose motives are somewhat different. They will most certainly be hunting for data, but it will be for monetary gain rather than information gathering. 

Learn More

Websense Security Labs:




Other Resources:

For information about how to be protected against advanced threats, visit http://www.websense.com.

For up-to-date information about Aurora, and for other breaking security information: http://www.websensesecuritylabs.com 


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.