Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Yahoo! Advertising Security

Hackers Exploit Adobe Flash Vulnerability In Yahoo Ads 77

vivaoporto notes a report that a group of hackers have used online ad networks to distribute malware over several of Yahoo's websites. The attack began on Tuesday, July 28, and was shut down on Monday, August 3. It was targeted at Yahoo's sports, finance, gaming, and news-related sites. Security firm Malwarebytes says the hackers exploited a Flash vulnerability to redirect users to the Angler Exploit Kit. "Attacks on advertising networks have been on the rise ... researchers say. Hackers are able to use the advertising networks themselves, built for targeting specific demographics of Internet users, to find vulnerable machines. While Yahoo acknowledged the attack, the company said that it was not nearly as big as Malwarebytes had portrayed it to be."
This discussion has been archived. No new comments can be posted.

Hackers Exploit Adobe Flash Vulnerability In Yahoo Ads

Comments Filter:
  • by Anonymous Coward

    Yahoo will not know how successful this attack was, since the traffic doesn't pass through their servers.

  • Ads (Score:5, Informative)

    by 0123456 ( 636235 ) on Tuesday August 04, 2015 @12:47PM (#50250175)

    Now tell me again why I shouldn't block ads...

    • +5 please (Score:1, Insightful)

      by Anonymous Coward

      seriously all those who insist that ads must not be blocked have been evading the corresponding responsibility

      • by Anonymous Coward

        If the argument to block ads were really a security issue, the. The default setting would be to only block Flash ads and allow text ads.

        And we all know it's not.

        Remind me why you're blocking text ads again?

    • Comment removed based on user account deletion
  • by Egg Sniper ( 647211 ) on Tuesday August 04, 2015 @12:49PM (#50250191)
    We need to ban ads immediately to protect ourselves from this threat. We cannot sit idly by any longer. Ads have been attacking our computers for too long. The time to act is now!
  • That's not even funny anymore.
    I've got it disabled for a while now, but for a lot of people it's not an option.
    Let's get rid of it!

    • I have found if you truly need Flash (by which I mean work not cat videos) you keep IE around as your insecure browser you only use for crap required for your job. For everything else, use a browser which doesn't have Flash enabled.

      In no other circumstances should people be accessing the internet with Flash enabled for everything. Because that's just asking for it.

      I've had Flash disabled for over a decade, and except one or two sites a year for something required by HR, I've never found myself thinking "g

    • by dywolf ( 2673597 )

      seriously.
      after all these years how is there a new vulnerability every week??

  • by fuzzyfuzzyfungus ( 1223518 ) on Tuesday August 04, 2015 @12:53PM (#50250233) Journal
    Aside from reflexive ass-covering, which is to be expected; Yahoo(and any of their ilk in the advertisement slinging business) have a fairly obvious incentive to deny the seriousness of the problem.

    Ad networks are a ghastly open sewer of shoddily vetted and frequently dangerous crap; usually served agonizingly slowly and heavy on Flash and scripts and crap. Even better, ads offer a nice way to hit a broad selection of users, across sites, and without needing to compromise specific operators or lure people into the seedy side of the internet where people stereotypically go to get unpleasant viruses.

    Even if you are one of the 'But advertising experiences enable the content economy, ad-blockers are immoral and killing businesses, etc.' people, what do you say about the sheer danger? Leaving ads unblocked is about as safe as letting sewage into your drinking water distribution system. That's a problem. Fix your ghastly excuse for a platform, so I could at least let my guard down without getting cyber-syphilis, and then maybe we can have a chat about whether ads are wonderful or not. Until that time, don't even bother.
    • by Fire_Wraith ( 1460385 ) on Tuesday August 04, 2015 @01:20PM (#50250421)
      It's not just the malicious crap, either.

      It's the insistence on basically hijacking the display with all kinds of ridiculous crap. I don't mind a reasonable banner ad across the top or down the side. When they started using flash, putting autoplay video/audio, waving popups and inserts that get in the way of what I'm doing... no, just no.

      Every so often I take a look at casual browsing without, just for comparison, usually when on someone else's computer. The amount of crap from ad traffic noticeably slows down page load times. In some cases I'd guess the ad traffic is actually larger than the pages I'm surfing, sometimes vastly moreso.
    • Ad networks are a ghastly open sewer of shoddily vetted and frequently dangerous crap; usually served agonizingly slowly and heavy on Flash and scripts and crap.

      When I have ad blocking on, the battery in my computer lasts five times longer than when I have it turned off. It's kind of insane.

  • Using windows is like leaving your door unlocked. Using flash is like having no walls.
  • by xxxJonBoyxxx ( 565205 ) on Tuesday August 04, 2015 @01:06PM (#50250313)

    Friends don't let friends use Yahoo. Or Flash. Or ads.

  • A new web-based exploit is known as "a Tuesday", in the same way that a boot sector virus is "a monday", and a .EXE virus is "a wednesday".

    A common thread of malware is that it uses whatever means to automatically execute without user interaction. Simply prevent stuff from automatically executing (NoScript, Flash block, or click-to-play), and the infection rate will become negligible - and perhaps more traceable in real-time.

  • You know what, stop telling us about Flash vulnerabilities ... when Flash hasn't been used in an exploit in several months, that will news worthy.

    In the mean time, I assume Flash is the same old piece of shit security hole it has been for as long as it has existed.

    Letting every web page execute arbitrary code on your machine has always been idiotic.

    I'm with you, I'll continue to treat all ads as hostile entities and gaping security holes. Javascript will require whitelisting only if I really want your site

    • You know what, stop telling us about Flash vulnerabilities ... when Flash hasn't been used in an exploit in several months, that will news worthy.

      I think the hope is that if we keep bashing Flash that eventually it will go away forever. We're almost there but some lazy/cheap websites still cannot be bothered to update and ban flash entirely. Frankly if Adobe were a responsible company they would simply abandon flash altogether and that might finally move things along but that's almost certainly a pipe dream.

      • by Megane ( 129182 )

        The problem is if it goes away and gets replaced by something harder to block. Right now the Flash bottleneck is easy to control, even if it means I have to click to enable for a few things. If it gets replaced by something innate to browsers, rather than a plug-in, it could become harder to block.

        On the other hand, that bottleneck is also a bad thing, in that when it's not blocked, it's a common source of vulnerabilities that everyone has. In other words, a monoculture.

  • This event highlights - once again - the need for browsers to provide tighter control over scripts that are allowed to run. It is totally unacceptable that browsers in this day and age don't provide some sort of built-in mechanism to selectively permit or deny execution of remote code (no, "disable everything everywhere" doesn't count). Ideally, each "script" that requires external plugins (flash, java, ...), should be treated as dangerous, and should only be played on demand. Other scripts could be allow
  • Their front page has turned into a mud pit of ads, it's all content from other sites, I can't see any compelling reason to go there in the first place and then they become an attack vector.

  • i said it before [slashdot.org] and i'll say it again.

    there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.

    if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.

  • stop outsourcing your webads to third parties so you have control of what gets served to your visitors.
  • Even if I did feel some moral compunction to let my eyeballs be smeared with ads (which I do not), why should I, when they're so freaking dangerous?

  • "For seven days, hackers used Yahoo’s ad network to send malicious bits of code to computers that visit Yahoo’s collection of heavily trafficked websites, the company said on Monday."

    Would these be 'computers' be running Microsoft Windows ..

    "When a computer — in this case, one running Windows — visited a Yahoo site, it downloaded malware code."

    Yes it does !

    "As with the previous reported cases this one also leverages Microsoft Azure websites" ref [malwarebytes.org]
  • All of the ads say 'Activate Adobe Flash'
  • I've installed 167 Flash updates, each one of them claiming to provide better security... there can't possibly be any vulnerabilities left in Flash!

Fast, cheap, good: pick two.

Working...