Slashdot Mirror
Worm Exploit Distributed by Advertising Network
Zocalo writes "Given that a lot of Slashdot readers also check The Register, it's important to note that their Internet advertising provider, Falk AG, was compromised by the BOFRA exploit yesterday. The Falk AG service has been suspended by The Register and a statement from Falk AG is due on Monday. The upshot is that if you visited the Register yesterday morning and use IE as your browser, then you probably need to run a full virus scan with up to date data files. Of course, those of us running other browsers and something like AdBlock have nothing to worry about. Again." You're OK for now if you're running SP2. There's also a good security writeup about the problem.
This is a really big problem. Okay, so its Register and they realized this and stopped it. But we visit so many other websites - how are we to know which one of those ad providers are infected and which are not?
Sheesh, where is accountability? Blame the sysadmins, blame the software, pity the customer. Lather, rinse repeat.
Maybe site owners will start moving or demanding text-based ads (like Google's)?
Rock that crushes, Paper & Scissors that don't matter.
.. falkag.net are the second entry in my ad filter, right after doubleclick
how many ie users have switched to sp2 ,yet ?
Trolling using another account since 2005.
You're OK for now if you're running SP2.
Ummm... My Win machine is running SP4. Oh, you mean XP SP2. Not on my machines, man... The highest I'll go on my personal machines is 2k.
Aside, you left out another browser of very worthy note. Oh, well, make that two.
I'm not a prophet or a stone-age man,
I'm just a mortal with potential of a super man.
Sad thing was the company was based in the Netherlands so it wasn't even worth pursuing legally... but if you are on the net, you aren't safe. MS products are more insecure, but you should always take steps to protect yourself, like keep the OS and applications up to date, etc etc
Agile Artisans
I guess I should stop using Lynx then! It's unethical since I don't see images.
What's with all this "Microsoft should patch this", "Microsoft should patch that". I am NOT a pro Microsoft person, but they made SP2 for a reason. If SP2 fixes it, why in the hell should they go back and patch an older version? If you don't like SP2 that's your problem, but if you want to actually get the latest updates, use it. Don't complain if sticking with SP1 (or no SP) is going to stop you from getting any security fixes.
WASTE - The Secure P2P
So if your XP machine is up to date you're ok?
That's kool, because all I do is download new browsers for security and never run windows update. That would make too much sense...
Utter drivel. I suppose you think that it is "theft" to change the channel on the TV when adverts come on, as well. Is it also "theft" to turn the page of a magazine without looking at the adverts on it? As far as I am concerned, advertising is a form of pollution. It reduces the visual beauty of the environment and I don't want to see it.
flossie
Write now. Defend liberty
"Extensions and programs like AdBlock are tantamount to theft; you are acquiring the content but not "paying" for it by loading the advertisements."
Um, it is clearly *your* problem if your website's cash flow relies on wasting my bandwidth with advertisements.
Your supposed 'right' to profit does not extend to the point where I have to bend my life around your profit model. Thanks.
Are you saying that it is wrong to house the homeless?!
flossie
Write now. Defend liberty
If you may have visited The Register between 6am and 12.30pm GMT on Saturday, Nov 20 using any Windows platform bar XP SP2 we strongly advise you to check your machine with up to date anti-virus software, to install SP2 if you are running Windows XP, and to strongly consider running an alternative browser, at least until Microsoft deals with the issue.
I just wanted to make this comment. One of the SP2 versions trashed my computer so bad when I ran it. And I'm still suffering from the effects. Such effects include freezing on websites for minutes at a time. Installing it also took my computer like 10 minutes to boot if I remember correctly.
If you can get an anti-virus program, do it. It's better than nothing.
I hate third party ads. www.tvtome.com serves one malicious ad, unless they took care of it already. If I remember correctly, the "ad" kept asking me to do something, in which I had to end up killing the IE6 process to stop it. But I run an ad blocking program most of the time. I really hope websites switch to text ads, like Google does.
Comment removed based on user account deletion
AdBlock is unethical [...] Extensions and programs like AdBlock are tantamount to theft
It's kinda ironic that a lot of the ads on tech sites are advertising anti-spyware/pop-ups/ads/adware/spam tools, isn't it?
Maybe if these companies agree with you that the use of these tools constitute fraud/theft, then they should stop advertising them.
I make a point of not adding Google's adverts to my adblock list - they don't annoy me, so they get to stay.
I virtually never click adverts anyway, so it's not like anyone's losing my custom, but the sooner websites learn that flashing "Punch The Monkey" banners just piss visitors off, the better.
You're a troll, but I'm biting even so.
We are under no obligation to play by whatever crooked-up business model a company cooks up. Unless I sign/click an agreement to view the ads, they don't have a legal leg, nor a moral one for that matter, to stand on.
They offer a web-page because they have something to say. I select how to view it. What more is there to it?
I guess you're ok with printer cartridge prices too? After all, its 'their business model' and not following it would be 'theft of service and fraud'?
"" How about taking the safety labels off everything, and let the stupidity-problem solve itself? """
This worm gives new meaning to the term "viral marketing"...
-Valen
It's not the first time this has happened either, see this article relating to an incident that happened back in September with Falk AG.
Never email donotemail@WeAreSpammers.com
"Would it kill you to put down the toilet seat?" -- Maya Angelou
In that case, feel free to use this version that uses "0.0.0.0" instead.
I'll reiterate what I've said before regarding skipping advertisements.
For decades, advertisers have seemingly understood that what they do is a gamble. There is absolutely no guarantee that the advertisement will be viewed, paid attention to, or even work well to sell a product. Just because this model has worked in the past does not guarantee it will continue to work for all time.
If companies involved can no longer take the risk that people may not see advertisements, then they should reconsider their business models.
"You spoony bard!" -Tellah
Hmm, has anyone thought of blaming the web site and its advertisers? Going to a site should be like going to a restaurant. Sure, IE is also to blame, but it's not as if the web site and advertisers have no responsibility to keep things clean and secure.
testing out my trending skills
It's not quite so clear cut as that, though. As I see it:
For adverts:
- Running a web site costs money. The guys running it might even want to make a living
- hiring good writers is expensive
- Advertising money is a proven revenue source for media outlets
- subscription sites don't seem to be a popular option
but, against that:
- The adverts many sites run are overly intrusive and bandwidth-intensive
- people who block adverts probably aren't the kind of people who are going to take notice of them anyway
- just cramming more and more adverts down the throats of consumers is not a sustainable policy: evevntually, everybody will block them because it's impossible to read anything on the web otherwise.
But, sites have to be paid for somehow. Do you have any suggestions of alternative profit models for web sites?
Penny-arcade seems to get by well enough on its merchandise, advertising, freelance art work etc revenue, for example. I'm not sure how well that scales to smaller sites, though.
The ISC has more details here and here.
The latest version for many users is IE 6 SP1, which is vulnerable. Not everybody has XP, and even a lot of XP users still don't have SP2 (you try downloading it over a dialup line sometime).
There was never any agreement between me and the website admins that I had a limited license to view the content predicated by my looking at ads. Websites that are on the internet are free to the consumer, unless explicitly stated otherwise.
Ceci n'est pas une sig.
:wq!
To add to that, I think that slashdot offers a free light version of the site for avantgo and other situations. I'm too lazy to check.
testing out my trending skills
The write up for the attack is incorrect. The correct sequence of events is at http://www.finlandforum.org/bb/viewtopic.php?t=768 5. I know because I noticed it at The Register first and contacted Falk AG. Thanks for the aknowledgement too Slashdot, NOT.
I still see the adds on penny arcade because they are small enough it's not worth my effort to block them, and occasionally something interesting comes up.
:\
I see no adds here because they are huge flash obscenities for Microsoft FUD campaigns.
You want clickthroughs? Rethink your ad placement policies. (If I could select as a pref nothing but text adds for Linux/Unix/Hardware with _informational_ content - I might well see adds on Slashdot. And you might get paid more that the 0 you get for me at present.)
The thing that pisses me off most of course is that the ultra lightweight version still has the heavy and blotated flash/animated adverts
Beep beep.
Last time I read about the Microsoft's buffer overflow protection implementation in Windows PX Service Pack 2, they were talking about the NX bit present in page entries when the PAE mode was active in AMD x86-64 processors. Even though that protection exists in the new AMD x86-64 processors' MMUs, Intel P4 as well as older AMD processors do not yet support that bit, which means that processes running over them do not get any page-based protection against code execution, even while running SP2.
However I see many people trusting their lives on SP2's protection even without processor support, and I don't see Microsoft willing to clarify this issue either, so I'm starting to believe that probably there is something else that I am not aware of in SP2 which simulates the same kind of protection on processors without hardware support.
Is SP2 really protecting against stack smashing (for example) on processors without hardware support for non-executable pages? Or is it just general ignorance that Microsoft exploits for their own profit?
What about the bandwidth they steal from me, when the serve ads I don't want?
Oh boy, the old "You can't criticize IE's thousands of holes, because your browser has had almost ten!" argument.
...Mozilla need not support firefox 0.9.3 for two very good reasons. First, it is a pre-release piece of software (or preview if you prefer), second the cost of "entry" to obtain Firefox 1.0 is merely a 4-7 MB download.
If Microsoft say they will support older operating systems (i.e. Windows 2000) then they need to support it 100% (not 90%, for the extra 10% upgrade to XP that they are now). Lots of people paid good money for Windows 2000 and were led to expect full support, including security updates, for a substantial period. This period has not passed and as such Microsoft is re-negging their side of things.
I am NaN
Yes it's a lie. They haven't suspended the service. When I first contacted the Falk AG support team in Germany they were clueless. It took them several hours before I received a response after I'd sent them an e-mail documenting the attack and where the exploit was on their site. I forwarded the same e-mail to several people at The Register too. Later today the article appeared on their site. I don't think The Register had any idea what was going on until much later. The original infection was in http://f.as-eu.falkag.net/server/asldata.js?rdm=01 684246 which was ad based just below the banner. What's there now is I think just data mining.
> Do you have any suggestions of alternative profit
> models for web sites?
Paid subscription?
Seriously, thanks to the Internet I've now exceeded the number of advertisements I'm prepared to view in my lifetime. I now block them on *any* site that I'm likely to visit more than once or twice. Advertisements stopped having any positive effect on me many years ago, and some are now so obtrusive (i.e. personally offensive) that I not only block them - I actively avoid buying those products.
Be honest - how many times have you seen an ad for e.g. some new model car, and decided "You know, I was just in the market for a car today. Good thing this ad appeared as now I know what to buy and where to go to buy one. And, what the hell, I'm not gonna buy the family wagon we really need; I'm gonna buy one of these fancy BMW sports cars because of the cool lifestyle aspects shown in the ad"? If what they're really trying to do with that ad is not sell me a car, but give me "brand awareness", then thanks - I'm aware of the brand, but I also feel free to remove it from my vision wherever and whenever it appears.
In my mind, and I suspect many others, Web advertising is now useless. The only Web ads I now notice are those that are too obnoxious to ignore, and I specifically block those out using AdBlock. I use Gmail constantly, but don't remember a single ad I've ever seen on Gmail; I know they're in the right-hand column, but my brain just doesn't parse them.
The upshot is that if you visited the Register yesterday morning and use IE as your browser.
A few years ago I would have laughed at anyone who said something like that and just ignored it as paranoia by someone who didnt really know much about computers and security or who had been watching too many hacker films. Of course you can't get a virus from visiting a web page thats just stupid, who would allow such insane breaches of security? But Microsoft saw a market: they realised that since most people believed you could get a virus that way, why not match their products with peoples expectations? Next slashdot poll should be who uses IE and why...
This comment does not represent the views or opinions of the user.
Bitter and proud of it.
For one, to those people commenting about how some people say that they don't want to use SP2... It isn't their fault that they don't want to. When I installed SP2 on my computer, that was using a legal copy of Windows XP, my computer BSODed and the boot sector was screwed over. This was a mistake on the count of Microsoft that deleted a number of documents that I thought were in a stable, safe place. I now make a backup of all my data to an external hard drive every other day to make sure this doesn't happen. Another comment I would like to make is for the people that are saying that ads are the only sources of revenue that websites have and we should be forced to read them and not block them. Yes, I agree that some websites need ads for money to run the site, but some ads are downright obnoxious. There are, however, sites that live off of things such as Google text only ads. www.neowin.net is an example, where you see at the top of the page only a simple text ad, or once in a while a picture ad. They are a fairly large website, and yet they support themselves by only a text ad. Interesting, isn't it? People rave about how websites absolutely have to have tons of ads to live, and yet Neowin has been living for a good 5 years now on text ads...
If there were a beggar on your way to work, and you went out of your way to avoid him, it would be fine. If there were a beggar on your way to work, and you surrounded him with some walls so no one would see him, that would be unethical.
Same thing goes here.
Ah, the Chewbacca defense.
That premise only even begin to make sense if people were preventing OTHER people from seeing the-paid-for advertising. Lets look at it in more detail though...
If you saw a beggar on the way to work the ethical thing to do would be to report him to the authories - begging is illegal in most modern westernised nations after all, and with good cause.
Very often it's done on private property (shop doorways, underground stations), often very assertively/aggressively causing harm to local business and increasing fear of crime (and increase in actual crime) in the area . It does very real damange to communities and the issues of drunkeness, instances of public disorder and the proliferation of hard drugs that go along with it to name but a few. It's such a problem in London that many local councils have put up paid advertisements trying to get it into peoples heads NOT to give to street beggers.
I could say "It's unethical to set kittens on fire and kick them around, same applies here." that would make about as much sense. Setting fire to kittens is something I'd consider unethical, and just like your analogy it doesn't in any way relate to the ethics of blocking adverts however.
Here's two slightly more appropriate viewpoints.
This is a free market economy. If advertising in exchange for "free" services isn't becoming viable as a business model.. don't do it! The internet will survive without doubleclick.com and the countless "free" webmail vendors. If you gave away cars to people with "adverts" on the bonnets, and you went flat broke after giving away two cars with cola ads on them, don't complain. Don't complain if people paint over the ads, either. You gave away the cars. What did you expect? It's like people who build their houses in flood plains who whine when the flood comes and takes away thier houses. There's no guarantee that if you provide a service for "free" on the expectation that people will in turn do you a favour, they will.
But you seem to say there is!
Extensions and programs like AdBlock are tantamount to theft
Theft is a very strong word. The basis you ply is, to say the least, a poor understanding of the legal state of the world (despite efforts by the US congress to change it). Theft is a crime, crimes are enforced by laws. Let's look at the law. You assert there exists a "contract" between the client and the server. The client, under your contract, views the adverts and views the meaningful content. Adblocking is therefore a circumvention of this contract. Sounds reasonable. But consider this. Nowhere does the website state that viewing of advertisements is mandatory in exchange for content. The advertisements are imbedded within the content, and there is no way for me to avoid them, even if the content should be offensive to me in some way (and really, you can be offended by anything these days, personally, I'm offended by ads). So I'm getting my content, and I'm getting these ads. But I haven't agreed, signed, clicked, on anything that states I explicitly need to see these ads. I haven't agreed to any contract. If you don't agree to a contract, then there is no contract. But you've already "given" the content away. It's on a public web server. So I'm free to view what is visible on that basis, in the same way that if I left a newspaper on my front lawn you could read it. I can also choose which parts of the freely visible information I want to see - because again, there's no contract, and copyright is not an issue because I'm not altering or republishing this information, just reading it, and only the non-advertising parts of it.
If you find adblocking annoys you - don't run a website with an unworkable revenue methodology. The free market economy is unforgiving, even less so when you give things away with no conditions attached.
I am government man, come from the government. The government has sent me. -- G.I.R.
Put it this way: Firefox offers pre-WinXP users a *free* path to being secure. Microsoft forces them to spend a significant amount of money.
If they're still using an older OS, that's tough shit for them.
There's going to be a lot of corporate computers running win2k. There's going to be some running WinNT. Times have been pretty tight, upgrading computers for some businesses isn't going to be the top priority. A lot of them dont need to upgrade. If you're using an as/400 session (or similiar telnet type app) and email, a P2 with 128MB and winNT is fine, and that covers a lot of people out there.
Not sure how this would affect protection from malware, but as for "stealing"...
From AdBlock's FAQ:
Q: But I want to support my favorite site! Can I set Adblock to download, and then hide stuff?
A: Yes, see next question.
Q: What's the difference between "hide" and "remove"?
A: "Hide" preserves a page's layout -- content being downloaded, but not visibly rendered.
"Remove" collapses the layout -- no content is downloaded.
No, the latest version for EVERYONE is IE6 SP2. If they're still using an older OS, that's tough shit for them. You can't say "Well the latest version of Windows is XP, but some people decided not to upgrade so the latest version for them is 2000." It just makes no sense.
Yet another disadvantage of tying the web browser to the OS. Atleast the latest versions of Opera and Firefox run on Windows 95 just fine.
Besides, I don't think IE6SP2 runs on Windows 2003 Server. What do you have to say to users of that OS?
I work for IBM ebusiness webhosting so I'm well aware of what the issues are with current browsers since I paid to... and when people like you start talking out their ass. You can't even give a url? You get the big "yeah dude" of the day... congrats.
||| I still can't believe Parkay's not butter.
Freeware nLite removes IE from 2000, 2003, XP before installation
Technical Details on Reming IE from Windows 2000 before installation
I think we're forgetting the rather nice paper that was linked from Slashdot some weeks ago that stated quite clearly*,
It's not just the number of security exploits an O.S. or application has which makes it a bad or good choice, but the level of access allowed by the exploit and whether or not the exploit is accessable remotely or locally.
Context is just as important as content.
* Could someone reply and link that article please? I forget what it was called and I'd like a copy, thanks.
His name is Robert Paulsen...
Unfortunately frames are also extremely useful.
I can do things with frames (and especially with iframes) that I can't do otherwise in HTML.
Admittedly this is because my personal HTML skills suck - I learned HTML in 1993 and haven't really caught up since..
However, the websites my company does its selling on are written by very proficient HTML developers and they still use iframes. They do so because it's the best tool for achieving their aims.
So feel free to stop using frames, even iframes, and block sites that require them. Just don't expect many sites to work afterwards.
Of course, that wont stop you getting hit by malicious banner ads. You'll need to block those or switch browser whether you accept frames or not..
~Cederic
If you visit the Falk AG website, there is nothing on the exploit. The management clearly doesn't know what to do with the problem - otherwise they would have posted a full explanation by now. Ah well, I guess they need some time to wiggle themselves out of this one.
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
The fact that this attack happened
or,
The Register editors sacrificed their sacrosanct weekends to post the warning story.
Any regular reader would see that most of the stories abruptly stop at Beer O'Clock on Friday [4 p.m. roughly, depending on British Sunshine].
Due to the regular lack of stories over the weekend, I think the number of readers exposed would have been much less. If it had happened about this time [Monday morning London time] a lot more people would've been exposed.
[% slash_sig_val.text %]
Yeh right, and I'm the king of Persia and I ride a magic dragon to work every day. I have proof too, photos and stuff but I'm too lazy to post the links. I guess you'll just have to believe me.
All those moments will be lost in time, like tears in rain.
The class I'm referring to is the Datacentre Class.
All those hardworking infrastructure people who've managed not to be outsourced to the Cayman Islands.
All those admins who surf to TheRegister from their Win2k3 Advanced Server terminals IN the datacentre via their KVM.
Some SysAdmins don't, granted, but SOME do. When I was doing Unix work at Level3 and Colt, we did it all the time. It's a per company, per employee based decision as to whether it occurs.
These servers are much more likely to have gone unpatched due to availability/stability concerns.
So here you have important computers left on all the time, with ph@t bandwidth exposed. Not just some home win98 pIII over a 56K link.
A bit worrying.
[% slash_sig_val.text %]
There's not a single thing flamebait about this. Because MaelstromX said something you didn't like, you modded him down. Censorship at it's finest. Re:AdBlock is unethical (Score:-1, Flamebait) by MaelstromX (739241) on Sunday November 21, @08:02PM (#10884143) Well you can keep attacking that straw man argument if you want but it has nothing to do with AdBlock. If a commmercial web site operator knew that a user had AdBlock installed, they would NOT agree to the terms of that user accessing the website, not only wasting bandwidth but acquiring the content contained on the website (which costs money to produce). Their website, their rules. Nobody is forcing you to go, you can leave at any time -- or you can stay and use unethical methods to make your visit slightly more convenient. And all of you bitching about it being within your rights to view content how you want, blah blah blah, shut up already. I am addressing the ethical wrongness of AdBlock -- you are stealing bandwidth and content without also viewing the means for which the web site creates enough revenue for the web site to sustain itself. -- As a side note, observe what happens when you go against slashbot groupthink: Due to excessive bad posting from this IP or Subnet, comment posting has temporarily been disabled. If it's you, consider this a chance to sit in the timeout corner .
Wheel in the sky keeps on turnin'.
Perhaps I would say stop surfing the net from the server, O Master of Secure Computing.
> No, the latest version for EVERYONE is IE6 SP2. If they're still using an older OS, that's tough shit for them.
Except for those that need Windows 2000 for other software they NEED for running their business, and those that need software that is incompatible with SP2 and and..
> You can't say "Well the latest version of Windows is XP, but some people decided not to upgrade so the latest version for them is 2000." It just makes no sense.
Microsoft supports Windows 2000, people pay for that support, why the fuck should they have to pay yet again to get an incomaptible OS?
You are not makign a well thought out argument there, not to say you are being stupid.
A swift Google led me to this site.