Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Exploit Adobe Flash Vulnerability In Yahoo Ads

Posted by Soulskill on from the go-big-or-go-home dept.

vivaoporto notes a report that a group of hackers have used online ad networks to distribute malware over several of Yahoo's websites. The attack began on Tuesday, July 28, and was shut down on Monday, August 3. It was targeted at Yahoo's sports, finance, gaming, and news-related sites. Security firm Malwarebytes says the hackers exploited a Flash vulnerability to redirect users to the Angler Exploit Kit. "Attacks on advertising networks have been on the rise ... researchers say. Hackers are able to use the advertising networks themselves, built for targeting specific demographics of Internet users, to find vulnerable machines. While Yahoo acknowledged the attack, the company said that it was not nearly as big as Malwarebytes had portrayed it to be."

77 comments

  1. So what? by Anonymous Coward · · Score: 0

    Is there still idiots with that plug-in installed on their computer?

    And if so, WHY?!

    1. Re:So what? by Anonymous Coward · · Score: 2, Informative

      Bullshit.

      youporn, pornhub, both work with HTML5.

      If your dedicated porn site still requires Flash, ditch it.

    2. Re:So what? by Cramer · · Score: 1

      VMware.

  2. Yahoo clueless damage control fluff by Anonymous Coward · · Score: 1

    Yahoo will not know how successful this attack was, since the traffic doesn't pass through their servers.

  3. Ads by 0123456 · · Score: 5, Informative

    Now tell me again why I shouldn't block ads...

    1. Re:Ads by Anonymous Coward · · Score: 0

      You should. And so should everyone. And when the economic response is more pay-for services, but no ads, the world will be a better place all around.

    2. Re:Ads by foradoxium · · Score: 5, Insightful

      or..They *could* use ads that don't need Flash, Javascript, shockwave, etc. It's just too damn easy for them.

      They could just use html, simple text for the ad. I notice the ad in my gmail, and it isn't some auto-playing dancing monkey with some overly loud god-aweful music.

    3. Re:Ads by Ash-Fox · · Score: 1

      Now tell me again why I shouldn't block non-flash ads...

      Fixed it for you.

      --
      Change is certain; progress is not obligatory.
    4. Re:Ads by Anonymous Coward · · Score: 0

      I don't want to watch ads. By blocking them I save them bandwidth. I'm really doing them a favor.

    5. Re:Ads by Anonymous Coward · · Score: 0

      Fixed? Leave it alone. You did more like this.

    6. Re:Ads by bmo · · Score: 1

      auto-playing dancing monkey

      "punch the monkey"

      Urgh.

      --
      BMO

    7. Re:Ads by DigiShaman · · Score: 1

      Yeah, it's how these fuckers spread CryptoWall 3.0!

      --
      Life is not for the lazy.
    8. Re: Ads by Anonymous Coward · · Score: 0

      Text ads slowing down your 2400 baud modem much?

    9. Re:Ads by Anonymous Coward · · Score: 0

      Fixing Cyptowall 3 was the biggest mistake I've made in a long time.

      Now everyone expects/demands full recovery. Such a pain in my ass.

    10. Re:Ads by Anonymous Coward · · Score: 0

      awful
      awesome

      see the difference?

    11. Re:Ads by Anonymous Coward · · Score: 0

      Indeed. We live in an age of advertising pollution. Reduce pollution, use an ad blocker.

  4. Best Time for Overreaction by Egg+Sniper · · Score: 5, Funny

    We need to ban ads immediately to protect ourselves from this threat. We cannot sit idly by any longer. Ads have been attacking our computers for too long. The time to act is now!

    1. Re:Best Time for Overreaction by Anonymous Coward · · Score: 0

      Why would killing ads be an overreaction? They're 99% deception anyway.

    2. Re:Best Time for Overreaction by Anonymous Coward · · Score: 0

      ads don't just attack your computer, they also attack your brain.

  5. This is not news by Anonymous Coward · · Score: 0

    I have known this for YEARS because I personally got hit by malware via Yahoo's ads using Adobe browser add-in products like Flash and Acrobat Reader which is why I have had them disabled for years.

    Serious, this has been going on for about 10 years and someone actually notices now?

    Does Yahoo even care? I do not think so. Yahoo Mail is the same way.

    1. Re:This is not news by mlts · · Score: 2

      I've been using ad-blocking extensions for 10+ years... I've found that blocking ads is a lot more useful than any AV program (barring Malwarebytes which actually blocks by IP) ever can do.

      Toss a VM/sandbox into the mix, and security is decent. Not 100%, but good enough to resist most attacks.

  6. +5 please by Anonymous Coward · · Score: 1, Insightful

    seriously all those who insist that ads must not be blocked have been evading the corresponding responsibility

    1. Re: +5 please by Anonymous Coward · · Score: 1

      If the argument to block ads were really a security issue, the. The default setting would be to only block Flash ads and allow text ads.

      And we all know it's not.

      Remind me why you're blocking text ads again?

    2. Re: +5 please by Anonymous Coward · · Score: 0

      Because they still make a 3rd party connection that will track you.
      Because I didn't ask for it.
      Because it was your choice to make your site a bandwidth hog?
      What happened to text only sites?
      Nobody told you running a website is free. Nobody told you ads would do anymore than off set the cost a little.
      Seriously, offer a few t shirts and you'll cover more bandwidth cost than ads ever would.

    3. Re: +5 please by Anonymous Coward · · Score: 0

      Oh please.

      Your sense of entitlement is ridiculous.

      You sir, clearly only get what you ask for, and apparently you asked for endless free content created by others for your pleasure.

      You are also clearly suffering from bandwidth-eating text ads on your 300 baud dial up connection on your Commodore 64. That extra 50 kilobytes daily is just too much.

      What happened to text-only sites? Written by whom? Run by whom? Do you get paid at work? Whatever happened to slaves?

      You seriously underestimate the number of full time bloggers, writers, photographers and editors who bring you your daily web content. But in your expectation-addled mind, they should all be highly productive volunteers who actually work somewhere else for money.

      I'm guessing you're a millennial with a public sector job?

    4. Re: +5 please by Anonymous Coward · · Score: 0

      The balls on this guy. A bunch of nonsense and fud is all I just read. Please do yourself a favor and skip his comment lol. Christ sakes I swear shills are the sewage of the Internet.

  7. Flash ... again by Thanatiel · · Score: 1

    That's not even funny anymore.
    I've got it disabled for a while now, but for a lot of people it's not an option.
    Let's get rid of it!

    --
    Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
    1. Re:Flash ... again by Anonymous Coward · · Score: 0

      That recent vulnerability in all Windows version? The one that could be exploited by embedding a modified font in a web page? A bug in a font rendering library written by Adobe. That company could not write solid code if their existence depended on it. Adobe software should be kept as far as possible from untrusted data.

    2. Re:Flash ... again by gstoddart · · Score: 0

      I have found if you truly need Flash (by which I mean work not cat videos) you keep IE around as your insecure browser you only use for crap required for your job. For everything else, use a browser which doesn't have Flash enabled.

      In no other circumstances should people be accessing the internet with Flash enabled for everything. Because that's just asking for it.

      I've had Flash disabled for over a decade, and except one or two sites a year for something required by HR, I've never found myself thinking "gee, I really miss Flash".

      Having Flash enabled by default is a self-inflicted injury I no longer feel any sympathy about. It's not like we haven't heard at least monthly for at least a decade about yet another Flash exploit.

      --
      Lost at C:>. Found at C.
    3. Re:Flash ... again by Anonymous Coward · · Score: 0

      The problem with using IE and Flash for your shit work is that IE with Flash is SO INCREDIBLY SLOW as to be unusable. Just as an extreme example, try loading some clickbait site with IE on Win7 (all updates), no adblock, and Flash enabled. I have a quad-core laptop and a nice gaming desktop and both choke on that.

    4. Re:Flash ... again by gstoddart · · Score: 0

      The problem with using IE and Flash for your shit work is that IE with Flash is SO INCREDIBLY SLOW as to be unusable. Just as an extreme example, try loading some clickbait site with IE

      If you're loading something you do not need for your job in IE with Flash enabled ... that's your damned problem.

      I said to keep IE for those sites you are required to use for your job, and use something with it disabled it for the rest.

      Whining about how slow Flash is for random sites means you bloody well deserve malware, because you haven't been paying attention to the fact that Flash has been a gaping security hole for around 15 years.

      If you're going to a click bait site with IE and Flash, you're begging to be compromised, and you'll have nobody but yourself to blame. Because you're pretty much doing the thing which is going to guarantee you get hacked.

      In my best Nelson voice I say to you "Ha ha!!".

      --
      Lost at C:>. Found at C.
    5. Re:Flash ... again by dywolf · · Score: 1

      seriously.
      after all these years how is there a new vulnerability every week??

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
  8. Obviously Yahoo minimizes it... by fuzzyfuzzyfungus · · Score: 5, Insightful

    Aside from reflexive ass-covering, which is to be expected; Yahoo(and any of their ilk in the advertisement slinging business) have a fairly obvious incentive to deny the seriousness of the problem.

    Ad networks are a ghastly open sewer of shoddily vetted and frequently dangerous crap; usually served agonizingly slowly and heavy on Flash and scripts and crap. Even better, ads offer a nice way to hit a broad selection of users, across sites, and without needing to compromise specific operators or lure people into the seedy side of the internet where people stereotypically go to get unpleasant viruses.

    Even if you are one of the 'But advertising experiences enable the content economy, ad-blockers are immoral and killing businesses, etc.' people, what do you say about the sheer danger? Leaving ads unblocked is about as safe as letting sewage into your drinking water distribution system. That's a problem. Fix your ghastly excuse for a platform, so I could at least let my guard down without getting cyber-syphilis, and then maybe we can have a chat about whether ads are wonderful or not. Until that time, don't even bother.

    1. Re:Obviously Yahoo minimizes it... by Fire_Wraith · · Score: 4, Insightful

      It's not just the malicious crap, either.

      It's the insistence on basically hijacking the display with all kinds of ridiculous crap. I don't mind a reasonable banner ad across the top or down the side. When they started using flash, putting autoplay video/audio, waving popups and inserts that get in the way of what I'm doing... no, just no.

      Every so often I take a look at casual browsing without, just for comparison, usually when on someone else's computer. The amount of crap from ad traffic noticeably slows down page load times. In some cases I'd guess the ad traffic is actually larger than the pages I'm surfing, sometimes vastly moreso.

    2. Re:Obviously Yahoo minimizes it... by phantomfive · · Score: 1

      Ad networks are a ghastly open sewer of shoddily vetted and frequently dangerous crap; usually served agonizingly slowly and heavy on Flash and scripts and crap.

      When I have ad blocking on, the battery in my computer lasts five times longer than when I have it turned off. It's kind of insane.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Obviously Yahoo minimizes it... by Anonymous Coward · · Score: 0

      Not to mention the dozens of third-party middlemen providing a long chain of anonymous non-accountability from ad creation to ultimate target, much like money laundering, or tor.

    4. Re: Obviously Yahoo minimizes it... by Anonymous Coward · · Score: 0

      I love Yahoo and worked for them for a number of years - but everything you've said is true, and they've never shown signs of changing. Considering this is their primary revenue stream it's outright suicidal not to fix this.

    5. Re: Obviously Yahoo minimizes it... by fuzzyfuzzyfungus · · Score: 1

      I don't think that it's Yahoo-exclusive by any means; even in online-advertising trade rags you see a lot of complaining about the shadiness of the various marketplaces and middlemen who sell ad placement on web properties too small or numerous to be interacted with personally; and an only modestly smaller volume of complaints about even some of the big, relatively respectable, players.

      In fairness to the ad flacks(you won't hear me say that one often); they are facing a task that is about as difficult as some combination of anti-spam and antivirus; but with the added complication that they get paid per 'message' received, so there isn't even a good alignment of incentives, as there is with anti-spam. The malicious ad users will try anything to sneak their ads into the system; and probably to avoid paying for them to be run, if they can help it; the middlemen have an incentive to serve ads to bots and then charge for those 'impressions'; and testing an ad for malice, especially if it employs zero days or cleverly pulls in external payload, is basically the same impossible problem that AV is.

      I can't say that I'm too sorry for them; just because I loath the advertising industry so much; but I cannot fairly accuse them of failing at an easy problem(because it isn't an easy problem); merely state that they have failed so profoundly that my concern for my own security now outweighs any 'is it ethical or not' questions so heavily as to make them irrelevant. At least on TV and in print media, ads are safe, if annoying; but on the web they are among the most dangerous vectors anyone who isn't either a porn/warez enthusiast or important enough for targeted attacks is exposed to.

      Heck, in my capacity as 'IT' at work, I would turn down a user who wanted to see the ads, simply because the risk is too hgih.

  9. Slow news day. by xenotransplant · · Score: 2

    Using windows is like leaving your door unlocked. Using flash is like having no walls.

  10. I love using chromebooks. by Anonymous Coward · · Score: 0

    I do 98% of everything on my chromebook now. I actually enjoy not worrying about executable code, etc.

  11. Friends don't let friends use Yahoo. by xxxJonBoyxxx · · Score: 5, Funny

    Friends don't let friends use Yahoo. Or Flash. Or ads.

  12. Flash for Flash's sake by Anonymous Coward · · Score: 0

    I work in marketing, on the digital/web side of things, I can tell you that in recent years I've seen zero indication that Flash based ads (or any animation, for that matter) out perform a static JPEG ad.

    If your ad looks good and is written well, people will pay attention to it. Forget potential security issues, the cost associated with producing Flash ads should be enough to stop using them.

  13. Business as usual by Sigma+7 · · Score: 1

    A new web-based exploit is known as "a Tuesday", in the same way that a boot sector virus is "a monday", and a .EXE virus is "a wednesday".

    A common thread of malware is that it uses whatever means to automatically execute without user interaction. Simply prevent stuff from automatically executing (NoScript, Flash block, or click-to-play), and the infection rate will become negligible - and perhaps more traceable in real-time.

  14. Just say no ... by gstoddart · · Score: 1

    You know what, stop telling us about Flash vulnerabilities ... when Flash hasn't been used in an exploit in several months, that will news worthy.

    In the mean time, I assume Flash is the same old piece of shit security hole it has been for as long as it has existed.

    Letting every web page execute arbitrary code on your machine has always been idiotic.

    I'm with you, I'll continue to treat all ads as hostile entities and gaping security holes. Javascript will require whitelisting only if I really want your site and trust it somewhat, and Flash will always be blocked, because it's never been something you can trust.

    Flash is defective, has always been defective, and it's time to make it go away.

    --
    Lost at C:>. Found at C.
    1. Re:Just say no ... by Anonymous Coward · · Score: 0

      You know what, stop telling us about Flash vulnerabilities ... when Flash hasn't been used in an exploit in several months

      Yep. *grin*

    2. Re:Just say no ... by Anonymous Coward · · Score: 0

      Letting every web page execute arbitrary code on your machine has always been idiotic

      Yeah, but what is code? HTML is code, CSS is code, JS is code.
      Anyway, make porn sites use HTML5, and I will drop Flash.

    3. Re: Just say no ... by Anonymous Coward · · Score: 0

      HTML is markup, not code. It's either plain English or an abbreviation in those tags. Maybe some numbers to set dimensions, but no executable code.
      Let me guess, you think ciphers are code too.

    4. Re:Just say no ... by Anonymous Coward · · Score: 0

      HTML and CSS don't execute, and parent post specifically said execute.

    5. Re:Just say no ... by Anonymous Coward · · Score: 0

      > "Letting every web page execute arbitrary code on your machine has always been idiotic."

      So you're one of those Neanderthals who blocks javascript and then whines about their web page not working?

  15. Security ahoy! by Anonymous Coward · · Score: 0

    Luckily those geniuses at the NSA didn't know about this or otherwise it could be reported. The NSA is supposed to look after our best interest.

    They are only human and they had two choices:
    1) Protect us, report it and let adobe fix it.
    2) Exploit it and keep quiet about it.

    Guess what they option they preferred...

  16. Bash it until it goes away by sjbe · · Score: 1

    You know what, stop telling us about Flash vulnerabilities ... when Flash hasn't been used in an exploit in several months, that will news worthy.

    I think the hope is that if we keep bashing Flash that eventually it will go away forever. We're almost there but some lazy/cheap websites still cannot be bothered to update and ban flash entirely. Frankly if Adobe were a responsible company they would simply abandon flash altogether and that might finally move things along but that's almost certainly a pipe dream.

    1. Re:Bash it until it goes away by Megane · · Score: 1

      The problem is if it goes away and gets replaced by something harder to block. Right now the Flash bottleneck is easy to control, even if it means I have to click to enable for a few things. If it gets replaced by something innate to browsers, rather than a plug-in, it could become harder to block.

      On the other hand, that bottleneck is also a bad thing, in that when it's not blocked, it's a common source of vulnerabilities that everyone has. In other words, a monoculture.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  17. Browser security by g7891107 · · Score: 1

    This event highlights - once again - the need for browsers to provide tighter control over scripts that are allowed to run. It is totally unacceptable that browsers in this day and age don't provide some sort of built-in mechanism to selectively permit or deny execution of remote code (no, "disable everything everywhere" doesn't count). Ideally, each "script" that requires external plugins (flash, java, ...), should be treated as dangerous, and should only be played on demand. Other scripts could be allowed in an opt-in basis, with the scripts from the "current" domain being allowed to run by default (presumably, if your navigate to a site, you trust it, right?). Yes, we need provisions to deal with CDNs and such, but this would be a good start.

  18. Infect a PC with this one simple trick... by Anonymous Coward · · Score: 0

    EOM

  19. Like we needed another reason to avoid Yahoo by HangingChad · · Score: 1

    Their front page has turned into a mud pit of ads, it's all content from other sites, I can't see any compelling reason to go there in the first place and then they become an attack vector.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  20. disable flash! by Gravis+Zero · · Score: 1

    i said it before and i'll say it again.

    there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.

    if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:disable flash! by Anonymous Coward · · Score: 0

      Came here just to say just that - JUST DISABLE IT!

      I've done so recently and pretty damn near everything that I use works exactly as before. The one thing that doesn't behave is Facebook - but it it claims it can't play the video and you absolutely positively must see it, you simply replace "www" in the link with "m" for mobile, and hey, presto!

  21. here's a radical idea by Thud457 · · Score: 1

    stop outsourcing your webads to third parties so you have control of what gets served to your visitors.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    1. Re:here's a radical idea by Anonymous Coward · · Score: 0

      "But, but, then we'd have to HIRE people to do it and my bonus would go down!" --Marissa

  22. yahoo & clinton scandals in news? by Anonymous Coward · · Score: 0

    tonight we're gonna party like it's 1999!

  23. And yet we're bad guys for using Ad blockers? by Anonymous Coward · · Score: 1

    Even if I did feel some moral compunction to let my eyeballs be smeared with ads (which I do not), why should I, when they're so freaking dangerous?

  24. Why not blocked? by Anonymous Coward · · Score: 0

    No, we are cows. MOOOOO.

    Why isn't there regex and IP blocking for these bots?

    1. Re: Why not blocked? by Anonymous Coward · · Score: 0

      They're Dice bots

    2. Re:Why not blocked? by Anonymous Coward · · Score: 0

      Why isn't there regex and IP blocking for these bots?

      Dice allocated all of their Slashdot budget to developing the "Share" button. Better luck with the next owners.

  25. de haxxorz by Anonymous Coward · · Score: 0

    r in de flash nao

  26. Yahoo Adobe Flash Malware .. by nickweller · · Score: 1

    "For seven days, hackers used Yahoo’s ad network to send malicious bits of code to computers that visit Yahoo’s collection of heavily trafficked websites, the company said on Monday."

    Would these be 'computers' be running Microsoft Windows ..

    "When a computer — in this case, one running Windows — visited a Yahoo site, it downloaded malware code."

    Yes it does !

    "As with the previous reported cases this one also leverages Microsoft Azure websites" ref

  27. New Adobe Ads by ChadSmith4920 · · Score: 2

    All of the ads say 'Activate Adobe Flash'

  28. But, but... by GPS+Pilot · · Score: 1

    I've installed 167 Flash updates, each one of them claiming to provide better security... there can't possibly be any vulnerabilities left in Flash!

    --
    That that is is that that that that is not is not.
  29. Re:Flash vulnerabilities are for ducks. by Ol+Olsoc · · Score: 1

    You are all ducks. Ducks say quack. QUACKKKKKK! QUACKKKKKK! Quack ducks quack! Quack say the ducks. YOU DUCKS!!

    Swedish ones say KVACK!

    oops - did I just have a Sum Ting Wong moment?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  30. Best way to block ads & other online threats? by Anonymous Coward · · Score: 0

    APK Hosts File Engine 9.0++ SR-2 32/64-bit http://start64.com/index.php?o...

    FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. browser addons & locally installed DNS servers @ home + fixes DNS' redirect security issues - obtaining its data vs. online threats & adbanner blocking from 10 reputable sites in the security community!

    * :)

    MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

    &

    It's GUARANTEED safe & clean per it being checked by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    In its 32-bit model also https://www.virustotal.com/en/...

    ---

    "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"...

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    PERTINENT QUOTE/EXCERPT:

    "The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THAT WORD = hosts!

    (Accept NO substitutes!)

    ...apk