 Doctor FourMy other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX |
Yahoo hit with large malvertisement attackAccording to researchers at Malwarebytes, Yahoo's ad servers were hacked to deliver malicious software to the site's visitors. The malicious ads were found on the homepage, as well as their sports, finance, celebrity and games sites. » blog.malwarebytes.org/ma ··· n-yahoo/» mashable.com/2015/08/04/ ··· are-ads/The malvertisements ran for a total of 6 days and may have infected millions of the site's visitors, making it one of the largest attacks of this kind in months. |
|
 Cartel
Premium Member
join:2006-09-13
Chilliwack, BC
kudos:2 |
Cartel
Premium Member
2015-Aug-4 7:42 pm
Another good reason to use adblock and a hosts file.....what ads?  |
|
 VikingBob
Premium Member
join:2004-06-05
Ste Anne, MB
kudos:1 |
to Doctor Four
I can't say I've been to Yahoo lately, but the girlfriend may have been. Nothing nefarious noted on her machine, so our security solutions must be working. |
|
 siljalineI'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC
kudos:18 ·Bell Fibe Internet
|
to Doctor Four
No one I know that runs a Hosts file and uses and updated AV & AS, will see these malvertisements. Yahoo is fully culpable as they are one of the oldest purveyors of ads on the net. It would seem to be the soup du jour for many security bloggers. Which isn't to say it's not a valid discussion. » www.securityweek.com/mal ··· -network |
|
 justin..needs sleep
Mod
join:1999-05-28
2031
kudos:15
Apple AirPort Extreme (2011)
|
to Cartel
said by Cartel:Another good reason to use adblock and a hosts file.....what ads? No, another reason to remove Flash because that was the vector. As per Usual. If you don't you can get infected from any page that any page redirects you to, or iframes, or does anything to trick your browser into loading a tiny flash container with the malware. |
|
 therube
join:2004-11-11
Randallstown, MD ·Xfinity
·Verizon Online DSL
|
to Doctor Four
quote:
Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain.
Might not require interaction (where's the how part of it...?), but it also requires inaction on the users part (to protect themselves). |
|
justin..needs sleep
Mod
join:1999-05-28
2031
kudos:15 Billion BiPAC 7800N
Apple AirPort Extreme (2011)
|
people running around with their hair on fire don't realise that ads are NO different from all the other things that web pages bring into your browser.
Go visit any modern site and look at the raft of third party servers APIs widgets and stuff that happens behind the scenes. And it is all safe. Why? because html is secure, and browsers are secure.
What is NOT secure are plug-ins (Flash) and Active-X (thankfully dead).
By freaking about about "malvertisements" you are not actually addressing the security problem that leaves you vulnerable. Either flash is secure, or it isn't. If it is secure, you have nothing to fear from malvertisements. If it is NOT secure, then you everything to fear from any web page anywhere.
Remove the plugin, and be safe. Or use a device that doesn't have flash, like an IOS phone. |
|
 Ian
Premium Member
join:2002-06-18
ON
kudos:4 |
Ian
Premium Member
2015-Aug-5 7:57 pm
said by justin:people running around with their hair on fire don't realise that ads are NO different from all the other things that web pages bring into your browser. I don't believe that's true. If I visit dslreports.com or any other single site, I have a reasonable degree of confidence that the code on any of the pages is known to the site developers. If you start throwing various ad-network scripts pulling in code from who knows where, instead of a point of failure, it's now dozens to hundreds. You can say, "Well don't run flash.", and sure, that will help, but the problem is running code unknown to even the site you're visiting. So realistically, a person is better to not run flash, or to pull data from elsewhere. And one way to do that is to block potentially malicious ad networks, like the one that ran on Yahoo, and to block scripts from external sites. Stories like this make people suspicious of ad networks. And I don't think that's misplaced suspicion. |
|
justin..needs sleep
Mod
join:1999-05-28
2031
kudos:15 Billion BiPAC 7800N
Apple AirPort Extreme (2011)
|
That used to be the case but it isn't true anymore.
Go take a look at what happens when you visit NY times or the guardian or the daily mail or any large site. Huffington post, engadet. Etc. There is no way these sites are in control of what servers are involved. There are dozens. Literally.
LUCKILY however, browsers are very good at displaying html and executing javascript from anywhere without letting nasty things into your soft vulnerable OS.
But all bets are off if the browser is launching plugins (ActiveX, Flash, Java) that are not tightly sand-boxed and/or written from the ground up with modern security in mind.
This site is old school in many ways is a poor example of what I'm talking about. But the modern web is far FAR from one server with tight controls now.
Not that I care: i have faith in using a mainstream browser that is kept patched, doesn't auto-run flash, and keeping half an eye on the news. That's enough. Visiting yahoo without adblock is not the least bit scary, or risky. |
|
|
Ian
Premium Member
join:2002-06-18
ON
kudos:4 |
Ian
Premium Member
2015-Aug-5 8:21 pm
said by justin:Not that I care: i have faith in using a mainstream browser that is kept patched, doesn't auto-run flash, and keeping half an eye on the news. That's enough. Visiting yahoo without adblock is not the least bit scary, or risky. What percentage of browsers in the wild have the above measures employed? I get what you're saying, but I don't think the ad network vendors have ever been user-security focused. And playing whack-a-mole isn't a great approach. If it's the plugins that are vulnerable, stop serving ads that need plugins? |
|
| |
to justin
said by justin:Visiting yahoo without adblock is not the least bit scary, or risky. It wasn't true for those 6 days. |
|
justin..needs sleep
Mod
join:1999-05-28
2031
kudos:15 Billion BiPAC 7800N
Apple AirPort Extreme (2011)
|
It isn't scary or risky if you use an html5 browser.
Why is it that people go to lengths to run complex anti-scripting anti-cookie anti-ad and anti-virus checkers and then sail around the net with Flash enabled without a tough sandbox around it ?
is it because buzzfeed plays them funny flash videos and that's something they prefer not to give up?
Why not put efforts into telling the sites that still demand flash, to get with it and re-do their stuff? |
|
| |
Without knowing the details of the compromise, you cannot say for sure that even a HTML5 browser wouldn't have been offered poisoned Flash as part of the malvertizing. By definition malvertizing is out of Yahoo's control, so the HTML5 capability could have been easily ignored in favour of the Flash contents. Without an add/Flash blocker you could have been easily compromised, even with an HTML5 browser. |
|
justin..needs sleep
Mod
join:1999-05-28
2031
kudos:15 Billion BiPAC 7800N
Apple AirPort Extreme (2011)
|
I'm not saying that. Of course "an HTML5 browser" would have been offered poisoned flash.
That gets back to DISABLE FLASH. and TELL SITES TO STOP USING IT. It is the root cause. It has been for years. You don't get malware from cookies, or javascript, or jpgs. You get it from plugins and there is really only one widely used plugin left to troll us all. |
|
| |
Therefore, as I said before, without a Flash blocker it was scary and risky to visit Yahoo. |
|
siljalineI'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC
kudos:18 ·Bell Fibe Internet
|
to Doctor Four
It's over, c'est fini. quote:
Yahoo has shut down a massive malware campaign that may have affected millions of visitors to its sites.
Yahoo confirmed it had stopped the scheme, which began last week, which had been using Yahoo's ad network to infect end users PCs with malware. [...]
» www.zdnet.com/article/fl ··· hoo-ads/ |
|
| |
secuser to justin
Anon
2015-Aug-6 1:09 am
to justin
|
|
therube
join:2004-11-11
Randallstown, MD ·Xfinity
·Verizon Online DSL
|
to Ian
quote:
If you start throwing various ad-network scripts pulling in code from who knows where, instead of a point of failure, it's now dozens to hundreds.
And it does not even need to be an "ad-network". It could just be a "content delivery site", a site that houses & serves, perhaps, "scripts" (like, say, cloudflare, for instance). quote:
the problem is running code unknown to even the site you're visiting.
So realistically, a person is better to not run flash, or to pull data from elsewhere. And one way to do that is to block potentially malicious ad networks, like the one that ran on Yahoo, and to block scripts from external sites.
Agreed (basically). |
|
| therube |
to justin
quote:
look at what happens when you visit NY times or the guardian or the daily mail or any large site. Huffington post, engadet. Etc. There is no way these sites are in control of what servers are involved. There are dozens. Literally.
True. quote:
browsers are very good at displaying html and executing javascript from anywhere
True. quote:
without letting nasty things in
I'd take issue with that part. quote:
all bets are off if the browser is launching plugins
True. quote:
This site is old school in many ways is a poor example of what I'm talking about.
Basically true, but I do see it changing, & IMO not necessarily for the better IMHO (not in the best [safest, perhaps] interest of the users.) (I've alluded to these thoughts elsewhere.) quote:
the modern web is far FAR from one server with tight controls now.
Very true. quote:
Visiting yahoo without adblock is not the least bit scary, or risky.
Nor scary to me. But given what this thread is, & the talk of "do not require any type of user interaction in order to execute their payload" [which I take with a grain of salt, or two - basically show me], makes me at least pause, for a moment. |
|
| therube |
to Doctor Four
Firefox exploit found in the wildquote:
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer.
...
People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used.
|
|
 Chubbzie
join:2014-02-11
Greenville, NC
kudos:1
(Software) OpenBSD + pf
|
to justin
said by justin:Why? because html is secure, and browsers are secure. HTML5/WebRTC/Javascript, please research your claim. But I do agree that plugins provide the easiest vector of infection. |
|
siljalineI'm lovin' that double wide
Premium Member
join:2002-10-12
Montreal, QC
kudos:18 |
to therube
That's here mon ami  » Firefox 39.0.3 |
|
Mele20
Premium Member
join:2001-06-05
Hilo, HI
kudos:8 |
to justin
Why do you think I use the Proxomitron with JJoe's latest configs? I have Yahoo blocked in my Hosts file but if I didn't and I visited there I would not be vulnerable. Besides blocking nasty iframes, ads in general, Proxo also makes Flash not be able to run unless I click to allow it to start besides that Flash is set on Ask in my browsers that have that feature.
Flash isn't the culprit. Infected ads are. |
|
| Mele20 |
to justin
How is Active X dead? I have Windows 8.0 Pro with IE 10 and it has Active X. I won't be upgrading to the malware that is named Windows 10 with that god awful Edge browser that Microsoft designed to refuse local proxies because it doesn't want folks like me to kill ads and other crap as then Microsoft can't make a ton of money selling my privacy to all takers. I seldom use IE but it definitely still has Active X.
I use Flash on all browsers but I keep it up to date...except in IE where Microsoft takes forever to update it. I'd say Microsoft is the real problem not Flash. |
|
| Mele20 |
Mele20 to Ian
Premium Member
2015-Aug-8 7:06 am
to Ian
said by Ian:What percentage of browsers in the wild have the above measures employed? Mozilla recently shut down all use of Flash on Fx and SeaMonkey because of a nasty vulnerability in the wild. Flash does not auto run on either browser unless you configure it to do so. You can preferably set it to "ask" or set it to "OFF" and then enable only when you want to use it. Pale Moon is the same. It is not as transparent in IE 10 and 11 but not at all difficult to disable Flash there which I do every time there is a new Flash version out because Microsoft really lags ...even in the face of Zero day exploits....in updating Flash in IE 10 and 11. Proxo stops IE from auto running Flash and what about all those weird players that many sites use? Are they vulnerable too? Like DailyMail uses a player I'd never heard of and my security is tight enough that, even when I relax it deliberately, I can't get their player to run. |
|
| Mele20 |
to therube
said by therube:People who use ad-blocking software may have been protected from this exploit depending on the software and specific filters being used. Just as those of us who use the superior Pale Moon have been protected even though Pale Moon also has in browser PDF Viewer. According to Moonchild, it is not vulnerable to this exploit affecting Fx. |
|
therube
join:2004-11-11
Randallstown, MD ·Xfinity
·Verizon Online DSL
|
to siljaline
> That's here mon ami
Yes, but...
It was said:
> people running around with their hair on fire don't realise that ads are NO different from all the other
> things that web pages bring into your browser
&
> freaking about about "malvertisements" you are not actually addressing the security problem that leaves
> you vulnerable
& then my point to that was:
> People who use ad-blocking software may have been protected from this exploit (which was not a Flash/Java exploit, BTW) depending... |
|
| therube |
to Mele20
quote:
Mozilla recently shut down all use of Flash on Fx and SeaMonkey because of a nasty vulnerability
They did not shut it down, they only changed it to click-to-play - for a limited period of time, until the updated Flash was out. quote:
Flash does not auto run on either browser unless you configure it to do so.
No, by default, it does. |
|
 camperjust visiting this planet
Premium Member
join:2010-03-21
Bethel, CT
kudos:1
|
to justin
said by justin:Go take a look at what happens when you visit NY times or the guardian or the daily mail or any large site. Huffington post, engadet. Etc. There is no way these sites are in control of what servers are involved. There are dozens. Literally. Here's a site with relatively few third-party links (only four). I've seen sites with well over 20 third party tracking and advertising links. |
|
therube
join:2004-11-11
Randallstown, MD ·Xfinity
·Verizon Online DSL
1 edit |
to Mele20
quote:
the superior Pale Moon have been protected even though Pale Moon also has in browser PDF Viewer. According to Moonchild, it is not vulnerable to this exploit affecting Fx
He has NOT seen the bug report (yet). (remainder of response move to this thread, » Critical Firefox Update) |
|
·
·
