Dan Goodin, reporting for ArsTechnica:

The compromise started in the last few minutes of Halloween with a spearphishing e-mail that ultimately gave the attackers access to PageFair’s content distribution network account. The attacker then reset the password and replaced the JavaScript code PageFair normally had execute on subscriber websites. For almost 90 minutes after that, people who visited 501 unnamed sites received popup windows telling them their version of Adobe Flash was out-of-date and prompting them to install malware disguised as an official update. […]

Fortunately, the malware was detected by F-Secure and likely competing antivirus packages as well. Additionally, a large percentage of connections to the attacker servers failed. On top of that, NanoCore runs only on Windows, so people visiting on machines running other operating systems were immune to the attack.

Two lessons to take from this:

1. Don’t use Windows.
2. Don’t use Adobe Flash.

You’ll thank me later.