Slashdot Mirror
Worm Exploit Distributed by Advertising Network
Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.
Dutch news-site (with a fairly large, non-techie audience) nu.nl was affected as well, a large warning was put up Saturday.
The warning (sorry, dutch only) mentioned that until Sunday afternoon, they received 1300 requests for help from possibly-affected visitors.
As far as accountability goes, it was nice to see the publisher, Ilse Media, put up a clear FAQ and even a special-purpose contact-form to accomodate for their not-web-savvy users.
They also mentioned further statements from Falk AG were forthcoming Monday 22nd.
Using an alternative browser, with AdBlock installed, I wasn't affected myself...
"Would it kill you to put down the toilet seat?" -- Maya Angelou
In that case, feel free to use this version that uses "0.0.0.0" instead.
The ISC has more details here and here.
The latest version for many users is IE 6 SP1, which is vulnerable. Not everybody has XP, and even a lot of XP users still don't have SP2 (you try downloading it over a dialup line sometime).
The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.
> how are we to know which one of those ad providers are infected and which are not?
o de=flat
As a rule of thumb: they all are.
Seriously. Most of the major ad networks have distributed ActiveX drive-by-downloads and *many* have distributed exploits. Almost everyone in the online ad market has dirty hands.
Falk are known to have served exploits for some time, but I guess this is the first time they've hit the Reg.
The exploits are going absolutely crazy right now - they're *everywhere*. See also this incident:
http://www.dslreports.com/forum/remark,11904374~m
It used to be that IE users could just avoid browsing untrusted sites to stay safe. Not any more. Anyone browsing with IE pre-SP2 and no extra precautions is going to get hit sooner or later, and most likely it'll be with enough chain-loading parasites to render the machine barely usable.
(SP2 of course is not safe either, having publically known exploits; but they don't seem to be targeted by the large exploit nets... yet.)
For one, to those people commenting about how some people say that they don't want to use SP2... It isn't their fault that they don't want to. When I installed SP2 on my computer, that was using a legal copy of Windows XP, my computer BSODed and the boot sector was screwed over. This was a mistake on the count of Microsoft that deleted a number of documents that I thought were in a stable, safe place. I now make a backup of all my data to an external hard drive every other day to make sure this doesn't happen. Another comment I would like to make is for the people that are saying that ads are the only sources of revenue that websites have and we should be forced to read them and not block them. Yes, I agree that some websites need ads for money to run the site, but some ads are downright obnoxious. There are, however, sites that live off of things such as Google text only ads. www.neowin.net is an example, where you see at the top of the page only a simple text ad, or once in a while a picture ad. They are a fairly large website, and yet they support themselves by only a text ad. Interesting, isn't it? People rave about how websites absolutely have to have tons of ads to live, and yet Neowin has been living for a good 5 years now on text ads...
Oh, and the same blocking could be done with a Windows web-proxy server.
True, but the Linux proxy is obviously uninfectable by anything that could infect the end-user systems being protected. This isn't as obvious with a Windows proxy- you need to know a little more about how the proxy works, how it does its filtering, what vulnerabilities it has, etc. The person making purchasing decisions may not be comfortable with his ability to judge the vulnerability of a Windows proxy. You also need to do a more thorough lockdown because of all the damn features crammed into Windows' every orifice. And keep in mind it can be infected from the inside as well.
In general the best networking strategies involve as diverse a set of operating systems as possible, so that no one agent can infect them all. I would go for a BSD proxy. Since it's always "dying", it offers bulletproof security.
You don't need Linux, unless you aren't smart enough to figure out how to work Windows.
clap clap clap... Post of the week!
Someone with automatic update wouldn't even need to know what SP2 is, but they would be up to date.
And that person would have more balls than I do for leaving that thing on automatic. Every SP2 install I have done so far has turned into a nerve-wracking experience.
This is FUD. Linux and OS-X have much better segregation between user space and the OS. If what you say is true, then why are there so many exploits for IIS and not Apache? Even the ones that do exist for Apache do not buy you much, because Apache typically runs as its own user. Most exploits I've seen for IIS buy you SYSTEM access. Not only that, but the user base for Linux and OS-X are far less monolithic in terms of what folks use to read mail, browse the web, etc., and the typical applications seem to have far fewer security issues. E.g., compare the secuity track record for Mozilla versus MSIE.
This particular problem is a heap overrun, not a stack overflow. XPSP2 introduced major changes to the way heap memory is laid out.
The improvements included safe unlinking, randomising the base address of the PEB (makes it harder to overwrite the UEF for example), and a heap version of a stack canary called a security cookie.
There are also improvements to the stack security by using a stack canary a la StackGuard compiled in by default for all MS apps.
Basically SP2 does contain a bunch of actual, measurable improvements to the way writeable memory is dealt with. It's not bulletproof but it will screw most 'stock' exploits.
By the way, something that nobody will tell you about BOFRA is that there _is_ a workaround - you can disable active scripting. The exploit uses javascript to allocate masses of heap memory to 'seed' the heap ready for the exploit. This is NOT a fix for all possible ways to attack this bug, just a fix for this particular attack.
Try adding a nice big hosts file to block all the ad servers. You get far less pop-ups/banners/sidebars, save bandwidth, and get less flashing shit on your screen. Here's a link to one with 10000 entries, but there are others out there too.
All those moments will be lost in time, like tears in rain.