Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Exploit Adobe Flash Vulnerability In Yahoo Ads

Posted by Soulskill on from the go-big-or-go-home dept.

vivaoporto notes a report that a group of hackers have used online ad networks to distribute malware over several of Yahoo's websites. The attack began on Tuesday, July 28, and was shut down on Monday, August 3. It was targeted at Yahoo's sports, finance, gaming, and news-related sites. Security firm Malwarebytes says the hackers exploited a Flash vulnerability to redirect users to the Angler Exploit Kit. "Attacks on advertising networks have been on the rise ... researchers say. Hackers are able to use the advertising networks themselves, built for targeting specific demographics of Internet users, to find vulnerable machines. While Yahoo acknowledged the attack, the company said that it was not nearly as big as Malwarebytes had portrayed it to be."

33 of 77 comments (clear)

  1. Yahoo clueless damage control fluff by Anonymous Coward · · Score: 1

    Yahoo will not know how successful this attack was, since the traffic doesn't pass through their servers.

  2. Ads by 0123456 · · Score: 5, Informative

    Now tell me again why I shouldn't block ads...

    1. Re:Ads by foradoxium · · Score: 5, Insightful

      or..They *could* use ads that don't need Flash, Javascript, shockwave, etc. It's just too damn easy for them.

      They could just use html, simple text for the ad. I notice the ad in my gmail, and it isn't some auto-playing dancing monkey with some overly loud god-aweful music.

    2. Re:Ads by Ash-Fox · · Score: 1

      Now tell me again why I shouldn't block non-flash ads...

      Fixed it for you.

      --
      Change is certain; progress is not obligatory.
    3. Re:Ads by bmo · · Score: 1

      auto-playing dancing monkey

      "punch the monkey"

      Urgh.

      --
      BMO

    4. Re:Ads by DigiShaman · · Score: 1

      Yeah, it's how these fuckers spread CryptoWall 3.0!

      --
      Life is not for the lazy.
  3. Best Time for Overreaction by Egg+Sniper · · Score: 5, Funny

    We need to ban ads immediately to protect ourselves from this threat. We cannot sit idly by any longer. Ads have been attacking our computers for too long. The time to act is now!

  4. +5 please by Anonymous Coward · · Score: 1, Insightful

    seriously all those who insist that ads must not be blocked have been evading the corresponding responsibility

    1. Re: +5 please by Anonymous Coward · · Score: 1

      If the argument to block ads were really a security issue, the. The default setting would be to only block Flash ads and allow text ads.

      And we all know it's not.

      Remind me why you're blocking text ads again?

  5. Flash ... again by Thanatiel · · Score: 1

    That's not even funny anymore.
    I've got it disabled for a while now, but for a lot of people it's not an option.
    Let's get rid of it!

    --
    Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
    1. Re:Flash ... again by dywolf · · Score: 1

      seriously.
      after all these years how is there a new vulnerability every week??

      --
      The guy who said the election was rigged won the presidency with the second-most votes.
  6. Obviously Yahoo minimizes it... by fuzzyfuzzyfungus · · Score: 5, Insightful

    Aside from reflexive ass-covering, which is to be expected; Yahoo(and any of their ilk in the advertisement slinging business) have a fairly obvious incentive to deny the seriousness of the problem.

    Ad networks are a ghastly open sewer of shoddily vetted and frequently dangerous crap; usually served agonizingly slowly and heavy on Flash and scripts and crap. Even better, ads offer a nice way to hit a broad selection of users, across sites, and without needing to compromise specific operators or lure people into the seedy side of the internet where people stereotypically go to get unpleasant viruses.

    Even if you are one of the 'But advertising experiences enable the content economy, ad-blockers are immoral and killing businesses, etc.' people, what do you say about the sheer danger? Leaving ads unblocked is about as safe as letting sewage into your drinking water distribution system. That's a problem. Fix your ghastly excuse for a platform, so I could at least let my guard down without getting cyber-syphilis, and then maybe we can have a chat about whether ads are wonderful or not. Until that time, don't even bother.

    1. Re:Obviously Yahoo minimizes it... by Fire_Wraith · · Score: 4, Insightful

      It's not just the malicious crap, either.

      It's the insistence on basically hijacking the display with all kinds of ridiculous crap. I don't mind a reasonable banner ad across the top or down the side. When they started using flash, putting autoplay video/audio, waving popups and inserts that get in the way of what I'm doing... no, just no.

      Every so often I take a look at casual browsing without, just for comparison, usually when on someone else's computer. The amount of crap from ad traffic noticeably slows down page load times. In some cases I'd guess the ad traffic is actually larger than the pages I'm surfing, sometimes vastly moreso.

    2. Re:Obviously Yahoo minimizes it... by phantomfive · · Score: 1

      Ad networks are a ghastly open sewer of shoddily vetted and frequently dangerous crap; usually served agonizingly slowly and heavy on Flash and scripts and crap.

      When I have ad blocking on, the battery in my computer lasts five times longer than when I have it turned off. It's kind of insane.

      --
      "First they came for the slanderers and i said nothing."
    3. Re: Obviously Yahoo minimizes it... by fuzzyfuzzyfungus · · Score: 1

      I don't think that it's Yahoo-exclusive by any means; even in online-advertising trade rags you see a lot of complaining about the shadiness of the various marketplaces and middlemen who sell ad placement on web properties too small or numerous to be interacted with personally; and an only modestly smaller volume of complaints about even some of the big, relatively respectable, players.

      In fairness to the ad flacks(you won't hear me say that one often); they are facing a task that is about as difficult as some combination of anti-spam and antivirus; but with the added complication that they get paid per 'message' received, so there isn't even a good alignment of incentives, as there is with anti-spam. The malicious ad users will try anything to sneak their ads into the system; and probably to avoid paying for them to be run, if they can help it; the middlemen have an incentive to serve ads to bots and then charge for those 'impressions'; and testing an ad for malice, especially if it employs zero days or cleverly pulls in external payload, is basically the same impossible problem that AV is.

      I can't say that I'm too sorry for them; just because I loath the advertising industry so much; but I cannot fairly accuse them of failing at an easy problem(because it isn't an easy problem); merely state that they have failed so profoundly that my concern for my own security now outweighs any 'is it ethical or not' questions so heavily as to make them irrelevant. At least on TV and in print media, ads are safe, if annoying; but on the web they are among the most dangerous vectors anyone who isn't either a porn/warez enthusiast or important enough for targeted attacks is exposed to.

      Heck, in my capacity as 'IT' at work, I would turn down a user who wanted to see the ads, simply because the risk is too hgih.

  7. Slow news day. by xenotransplant · · Score: 2

    Using windows is like leaving your door unlocked. Using flash is like having no walls.

  8. Friends don't let friends use Yahoo. by xxxJonBoyxxx · · Score: 5, Funny

    Friends don't let friends use Yahoo. Or Flash. Or ads.

  9. Business as usual by Sigma+7 · · Score: 1

    A new web-based exploit is known as "a Tuesday", in the same way that a boot sector virus is "a monday", and a .EXE virus is "a wednesday".

    A common thread of malware is that it uses whatever means to automatically execute without user interaction. Simply prevent stuff from automatically executing (NoScript, Flash block, or click-to-play), and the infection rate will become negligible - and perhaps more traceable in real-time.

  10. Just say no ... by gstoddart · · Score: 1

    You know what, stop telling us about Flash vulnerabilities ... when Flash hasn't been used in an exploit in several months, that will news worthy.

    In the mean time, I assume Flash is the same old piece of shit security hole it has been for as long as it has existed.

    Letting every web page execute arbitrary code on your machine has always been idiotic.

    I'm with you, I'll continue to treat all ads as hostile entities and gaping security holes. Javascript will require whitelisting only if I really want your site and trust it somewhat, and Flash will always be blocked, because it's never been something you can trust.

    Flash is defective, has always been defective, and it's time to make it go away.

    --
    Lost at C:>. Found at C.
  11. Re:This is not news by mlts · · Score: 2

    I've been using ad-blocking extensions for 10+ years... I've found that blocking ads is a lot more useful than any AV program (barring Malwarebytes which actually blocks by IP) ever can do.

    Toss a VM/sandbox into the mix, and security is decent. Not 100%, but good enough to resist most attacks.

  12. Bash it until it goes away by sjbe · · Score: 1

    You know what, stop telling us about Flash vulnerabilities ... when Flash hasn't been used in an exploit in several months, that will news worthy.

    I think the hope is that if we keep bashing Flash that eventually it will go away forever. We're almost there but some lazy/cheap websites still cannot be bothered to update and ban flash entirely. Frankly if Adobe were a responsible company they would simply abandon flash altogether and that might finally move things along but that's almost certainly a pipe dream.

    1. Re:Bash it until it goes away by Megane · · Score: 1

      The problem is if it goes away and gets replaced by something harder to block. Right now the Flash bottleneck is easy to control, even if it means I have to click to enable for a few things. If it gets replaced by something innate to browsers, rather than a plug-in, it could become harder to block.

      On the other hand, that bottleneck is also a bad thing, in that when it's not blocked, it's a common source of vulnerabilities that everyone has. In other words, a monoculture.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  13. Browser security by g7891107 · · Score: 1

    This event highlights - once again - the need for browsers to provide tighter control over scripts that are allowed to run. It is totally unacceptable that browsers in this day and age don't provide some sort of built-in mechanism to selectively permit or deny execution of remote code (no, "disable everything everywhere" doesn't count). Ideally, each "script" that requires external plugins (flash, java, ...), should be treated as dangerous, and should only be played on demand. Other scripts could be allowed in an opt-in basis, with the scripts from the "current" domain being allowed to run by default (presumably, if your navigate to a site, you trust it, right?). Yes, we need provisions to deal with CDNs and such, but this would be a good start.

  14. Like we needed another reason to avoid Yahoo by HangingChad · · Score: 1

    Their front page has turned into a mud pit of ads, it's all content from other sites, I can't see any compelling reason to go there in the first place and then they become an attack vector.

    --
    That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
  15. disable flash! by Gravis+Zero · · Score: 1

    i said it before and i'll say it again.

    there are very few reasons to keep flash installed/enabled. if you must have it, use flashblock but chances are you can just disable/remove it completely. if some site still uses flash to play video, leave a complaint in the comments. those that haven't switched to html5 yet will do so soon enough.

    if you still have java plugin installed, you better have a good reason because no (sane) sites use that shit.

    --
    Anons need not reply. Questions end with a question mark.
  16. here's a radical idea by Thud457 · · Score: 1

    stop outsourcing your webads to third parties so you have control of what gets served to your visitors.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  17. And yet we're bad guys for using Ad blockers? by Anonymous Coward · · Score: 1

    Even if I did feel some moral compunction to let my eyeballs be smeared with ads (which I do not), why should I, when they're so freaking dangerous?

  18. Re:So what? by Anonymous Coward · · Score: 2, Informative

    Bullshit.

    youporn, pornhub, both work with HTML5.

    If your dedicated porn site still requires Flash, ditch it.

  19. Yahoo Adobe Flash Malware .. by nickweller · · Score: 1

    "For seven days, hackers used Yahoo’s ad network to send malicious bits of code to computers that visit Yahoo’s collection of heavily trafficked websites, the company said on Monday."

    Would these be 'computers' be running Microsoft Windows ..

    "When a computer — in this case, one running Windows — visited a Yahoo site, it downloaded malware code."

    Yes it does !

    "As with the previous reported cases this one also leverages Microsoft Azure websites" ref

  20. New Adobe Ads by ChadSmith4920 · · Score: 2

    All of the ads say 'Activate Adobe Flash'

  21. Re:So what? by Cramer · · Score: 1

    VMware.

  22. But, but... by GPS+Pilot · · Score: 1

    I've installed 167 Flash updates, each one of them claiming to provide better security... there can't possibly be any vulnerabilities left in Flash!

    --
    That that is is that that that that is not is not.
  23. Re:Flash vulnerabilities are for ducks. by Ol+Olsoc · · Score: 1

    You are all ducks. Ducks say quack. QUACKKKKKK! QUACKKKKKK! Quack ducks quack! Quack say the ducks. YOU DUCKS!!

    Swedish ones say KVACK!

    oops - did I just have a Sum Ting Wong moment?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.