Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Yahoo Advertising Serves Up Malware For Thousands

samzenpus posted about 8 months ago | from the have-some dept.

Advertising 184

wjcofkc writes "Thousands of users have been affected by malicious advertisements served by ads.yahoo.com. The attack, which lasted several days, exploited vulnerabilities in Java and installed malware. The Netherlands based Fox-IT estimates that the infection rate was at about 27,000 infections per hour. In response to the breach in security, Yahoo issued the following statement, 'At Yahoo, we take the safety and privacy of our users seriously. We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity.' While the source of the attack remains unknown, Fox-IT says it appears to be 'financially motivated.' The Washington Post cites this incident as a reminder that Java has become an Internet security menace."

cancel ×

184 comments

Sorry! There are no comments related to the filter you selected.

Become? (5, Insightful)

gstoddart (321705) | about 8 months ago | (#45870959)

The Washington Post cites this incident as a reminder that Java has become an Internet security menace.

As far as I've been concerned, Java and Javascript have both always been security menaces.

Letting web-sites and advertisers execute code has been a recipe for problems for a long time, which is why many of us here likely already block it.

This is just another example of why we can't trust the companies doing the advertising, because they're part of the problem -- if Yahoo is serving malware, Yahoo can't be trusted.

Re:Become? (4, Insightful)

Nerdfest (867930) | about 8 months ago | (#45871079)

Java as a language is pretty much as secure as any other. Allowing it to run arbitrary code as 'applets' by default is a huge problem as the sandboxing seems quite poor.

Re:Become? (4, Insightful)

gstoddart (321705) | about 8 months ago | (#45871165)

Java as a language is pretty much as secure as any other.

In the abstract, as a standalone app, sure.

But on the web? No bloody way. Certainly not by default -- because it's always been a vector from annoying crap and malware.

Re:Become? (4, Insightful)

Nerdfest (867930) | about 8 months ago | (#45871203)

Any other language deployed the same way would offer a very similar attack surface. Simply put, it's the new ActiveX.

Re:Become? (4, Informative)

gstoddart (321705) | about 8 months ago | (#45871315)

Yup, didn't trust that either.

NoScript, AdBlockPlus, Ghostery, ScriptSafe, and everything else you can find to keep the crap at bay is the only safe way to use the internet these days.

Between advertising companies who feel entitled to your data, and all of the crap on the internet ... leaving that stuff on by default is just asking for problems.

Re:Become? (4, Interesting)

Nerdfest (867930) | about 8 months ago | (#45871353)

RequestPolicy for FireFox is great as well.

Re:Become? (4, Funny)

ColdWetDog (752185) | about 8 months ago | (#45872217)

Those blank white screens are refreshingly calm.

Re:Become? (2)

Arker (91948) | about 8 months ago | (#45872389)

I know, this is how I do it too, but doesnt it strike you as a little crazy to have to install all these *extensions* - not to add optional functionality, but to disable all this insanity that should never have been enabled by default to begin with?

Web browsers should ship with support for the web (that means HTML, semantic markup, period) and extensions should be used to add to that, rather than by default supporting every piece of nonsense any adware/spyware/malware pusher might ever want to use, and then having extensions to try and turn that off after the fact.

Re:Become? (0)

Anonymous Coward | about 8 months ago | (#45872465)

Advertising companies do not 'feel entitled to your data'. The sites you visit feel entitled to give your information away to the highest bidder - in exchange for the free use of the site. Advertisers and ad networks are not the problem, the policies of the sites you visit are the problem. The data your browser sends to the sites you visit is available to the highest bidder, some of the data is available to all possible bidders.

I can safely assume that you do not like my post. Want to the third party advertising networks that track you to go away? Then start paying for all of the sites you visit - give the site operators a way to make money that does not involve contracting with Advertisers or ad networks.

You get paid a salary or hourly wage or contract rate because someone values you work. At the same time, you expect web sites to be free. How do you propose that the folks that produce those sites get paid, paid just like you are for your work?

I use ad and script blockers too but I don't blame the advertisers for needing it, I blame the sites that sold me out.

Re:Become? (0)

Anonymous Coward | about 8 months ago | (#45872571)

That's exactly what GP meant by the following:

Allowing it to run arbitrary code as 'applets' by default is a huge problem as the sandboxing seems quite poor.

Re:Become? (1)

afgam28 (48611) | about 8 months ago | (#45873419)

"In the abstract"?! In what world do you live in where standalone, server-side Java and Android apps are rare?

In the abstract, Java applets are a problem, sure. But by far most Java code runs on servers and on Android devices and there isn't as much of a problem with poor sandboxing in those environments.

Re:Become? (-1)

Anonymous Coward | about 8 months ago | (#45871087)

yeees, and neither can Google.

Don't be a plank you moron, this was not Yahoo serving the malware, but an advertiser via yahoo.

oh oh, I forgot, Google can do no evil

for fuck sakes man, catch a wake up and wipe that koolaid drool off your chin.

Re:Become? (0)

gstoddart (321705) | about 8 months ago | (#45871143)

oh oh, I forgot, Google can do no evil

No, you're a fucking idiot.

The story is about Yahoo, so that is who I mentioned. I don't trust Google either (or any other advertiser for that matter).

Just because an advertiser accepts money to serve ads, doesn't mean I have any trust in the people actually serving the ads, and I sure as hell don't let them run scripts. Not ever.

Re:Become? (0)

Anonymous Coward | about 8 months ago | (#45871237)

A tag to disable active content was proposed more than ten years ago. http://lists.w3.org/Archives/Public/www-html/2002May/0021.html [w3.org]

Mozilla proposed CSP some years later: https://wiki.mozilla.org/index.php?title=Security/CSP/Spec&oldid=133465 [mozilla.org]

If this sort of thing was widely implemented this malware thing might have been easily blocked - apparently the malware ads didn't require the victim to click! And many of those XSS worms in the past might not have spread.

But nobody really cares about security.

Re:Become? (2)

Z00L00K (682162) | about 8 months ago | (#45871897)

Almost all ads are malicious in one way or another. If they don't carry bad stuff to your computer you can be misled to click on them and $DIETY knows where you end up sometimes. If nothing else they burn a lot of CPU ticks and makes your computer consume more power.

Re:Become? (2, Funny)

Anonymous Coward | about 8 months ago | (#45872905)

Almost all ads are malicious in one way or another.

They may even trick you into buying stuff you don't need.

Re:Become? (1)

Lennie (16154) | about 8 months ago | (#45872481)

Java exploits, sure. Or plugins in general really.

But Javascript ? How many Javascript exploits have you see that infect the browser or the host ?

I do see Javascript being used to 'deliver' or 'bootstrap' many exploits though.

Re:Become? (0)

Anonymous Coward | about 8 months ago | (#45873167)

I remember at least one notable instance: TOR Browser bundle's Firefox had an unpatched JS vulnerability allowing arbitrary code execution.

It was used at least once, to make all Freedom Hosting hosted sites serve a piece of code to ping back to FBI from visitors' real IP addresses. Google for "freedom hosting takedown" for more details.

Re:Become? (2)

hairyfeet (841228) | about 8 months ago | (#45873225)

They can bitch about "Waaah how can we make money on our websites, waah" but since I started making adblock plus mandatory? The rate of customers bringing PCs back infected has dropped right off the map.

I USED to allow websites who asked nicely to have an exception but I found they abused the goodwill every. single. time. without fail. I consider an ad to be unacceptable if 1.- Its served by flash, too many zero days for flash to allow it s a delivery vehicle. 2.- No Java, see rule 1. 3.- NO THIRD PARTIES, this is a sticking point for some but it really comes down to responsibility. If you use some fly by night third party you can pass the blame and in reality you have no damned clue from minute to minute what is even running on your site when you give space to third parties. YOU might tell your readers "Oh we won't use flash or java for ads" but do you think the third party will care about your pledge? Not a chance.

Until sites come up with a way to serve ads without cranking up the risk to my customers? they can fuck right off. Your "right" to make a living of your dumb ass blog does NOT trump my customers right to have a virus free PC and considering what a nightmare ID theft is I feel zero guilt for blocking your malware spewing third party flash crap. Even Ars Technica, who made a big deal about begging and making their case for unblocking....what did they do with 3 days of me unblocking? they broke rules 1 and 3, showing their ads to be just as dangerous as anybody else. So there will be no exceptions and I'll be happily spreading ABP to everyone who brings a PC through my door.

The usual platitudes and bullshyte promises (3)

stevez67 (2374822) | about 8 months ago | (#45870963)

They'll continue to monitor, as in do something about a malicious ad once someone else identifies it and spreads the word.

Slashdot Serves Up Epic Fail Beta (3, Funny)

Anonymous Coward | about 8 months ago | (#45870965)

Hey samzenpus, you better have another job lined up.

Netcraft confirms http://beta.slashdot.org is dying!

Re: Slashdot Serves Up Epic Fail Beta (3)

Anonymous Coward | about 8 months ago | (#45871113)

It does seem to be dying. I used to come one here several times a day. Now I might come by once a week. Mostly hoping the old site would reappear. Sad watching a once great site die.

Re: Slashdot Serves Up Epic Fail Beta (1)

Nerdfest (867930) | about 8 months ago | (#45871727)

I just had a look at it. It doesn't look awful, but continues the same mistake made with other attempts, in that it has *way* the hell too much white space.

Re: Slashdot Serves Up Epic Fail Beta (1)

Anonymous Coward | about 8 months ago | (#45872231)

Don't you know you're not supposed to use a PC on the net any more? It's strictly for tablets and phones -- tiny screens, most options removed, no keyboard support. Get out of the stone age and stop being productive!

Re:Slashdot Serves Up Epic Fail Beta (2)

Kimomaru (2579489) | about 8 months ago | (#45872695)

It looks fine, but it's too fancy for my taste. Personally, when a someone tries to doll up a site to make it prettier, it always kind of irks me. It feels like it's losing its quality, so they have to compensate by making it prettier. I'm sure that's not the case here, but let's drop this redesign stuff. Unless you make it easier to navigate with a text-based browser.

Image/text only ads (5, Insightful)

El_Muerte_TDS (592157) | about 8 months ago | (#45870991)

This wouldn't be an issue if they could only serve image or text only ads. Possible image based exploits can easily be prevented by re-saving the uploaded image so that the image only contains valid content.

But no, ad farms want to provide functionality to reach maximum annoyance for the users. You can blame Java all you want, but it's not the source of this problem.

Re:Image/text only ads (4, Insightful)

Anonymous Coward | about 8 months ago | (#45871211)

Indeed, the ad ops teams that "screen" these ads cant read code, and even if they could, the code in the ad tags is "minified" JS and they just can't logistically read each ad tag because of the sheen number of ads they need to run each day/week.

If Java didn't exist, nor Flash or Acrobat, these criminals would STILL be using the ad networks to compromise the browser itself. That's not to say the plugin model is a good one, but it's important to focus on the real problem.

This is true for all websites too. I suspect the WashPo uses the same ad ops standards Yahoo does, same as Slashdot, same as everyone. It's ad networks running arbitrary, 3rd-party, unknown code on users machines that's really fucking dangerous.

Re:Image/text only ads (0)

Anonymous Coward | about 8 months ago | (#45873045)

In my experience working with two teams, a small fraction of ad ops people can read and understand javascript. That same fraction applied to the subset of ad ops folks could actually identify malicious activity in the javascript. And 0 of them would attempt to fix it in any case, as opposed to reporting it to the ad service. Granted I have not seen ad ops identify javascript based ad-driven malware, so I can't actually guess at that approximately.

Re:Image/text only ads (3, Interesting)

SpaceLifeForm (228190) | about 8 months ago | (#45871641)

Ask yourself this: How many ad farms are really NSA operations?

Re:Image/text only ads (3, Interesting)

digitalaudiorock (1130835) | about 8 months ago | (#45871721)

I use NoScript all the time. Just recently...the last few week actually...I started noticing that a number of things on yahoo finance just plain stopped working because they required javascript from yimg.com...as if I'm going to allow that...ffs.

Source Unknown? (5, Interesting)

Anonymous Coward | about 8 months ago | (#45870995)

Source unknown? Bullshit! Yahoo didn't run the ads without payment. Payment == traceable. Or is Yahoo accepting Bitcoins now?

Re:Source Unknown? (2)

KingOfBLASH (620432) | about 8 months ago | (#45871021)

No they're just going to blame the NSA for being malicious hackers, and skip over taking any sort of responsibility for the situation.

Re:Source Unknown? (2)

hawguy (1600213) | about 8 months ago | (#45871509)

Source unknown? Bullshit! Yahoo didn't run the ads without payment. Payment == traceable. Or is Yahoo accepting Bitcoins now?

Unless, of course, payment==stolen credit card number.

Re:Source Unknown? (0)

Anonymous Coward | about 8 months ago | (#45872533)

Actually, you are wrong. There is tons of reselling going on and every entity in the chain has plausible deny-ability. Also, the payments are not instantant but aggregated each month. I'm sure yahoo serves billions of ads a month, even a big malware incident like this is a small fraction of total traffic. It is harder to track these things than you think. That is why the attack worked. Advertisers and ad networks do NOT want to be associated with malware. As much as you don't want to believe it, they want to show you ads that might interest you and nothing else.

adaware (5, Interesting)

fermion (181285) | about 8 months ago | (#45870999)

It has been my contention that when websites no longer serve malware through Ads, then they can start complaining that users blocks ads. This is not an uncommon occurrence, even for large websites, and the fix is not always immediate. I recall not that long ago when the New York Times was serving malware for the entire weekend.

Re:adaware (4, Informative)

Anonymous Brave Guy (457657) | about 8 months ago | (#45871091)

It has been my contention that when websites no longer serve malware through Ads, then they can start complaining that users blocks ads.

Indeed. I block 100% of ads my tools can identify, I consider this a routine security precaution, and I make no exceptions. Sorry to the honest site operators, I won't take offence if you decide to block me because I block your ads, but no, I won't whitelist you. This became my policy shortly after the only virus infection I've ever been aware of picking up on any computer I operate, which was a Java zero day exploit I picked up browsing normally reputable tech news sites.

Use click to play (1)

tulcod (1056476) | about 8 months ago | (#45871715)

Java zero days are easily avoided by using "click to play", which does exactly what it sounds like: disable flash and java applets until you click them. In Chromium, this is easily enabled in Settings -> Show advanced settings -> under "Privacy", Content Settings -> choose "Click to play" under Plug-ins.

Java (and Flash likewise) has never been safe, and it's a shame that click to play is not the default. Additionally, animated ads are often Flash or Java-based, so this also kills distracting movies.

Re:Use click to play (0)

Anonymous Coward | about 8 months ago | (#45872575)

Easily circumvented with a JS app that detects any click on the webpage to activate the plugin.

Re:adaware (1)

A_Non_Moose (413034) | about 8 months ago | (#45872991)

Agreed.

Similar story here, when I left an IE session open on Drudge and went to sleep.

Woke up and saw "Antivirus 2009" or some such crapware.

Turned out to be 2 0-day exploits to javascript and pdfs to load executable code.

Insult to injury was I turned off javascript in pdfs explicitly and an update turned it back on. Son of a beeyotch.

Flew under the radar of Symantec 9 or 10, IIRC. Sucked because I was still in .edu and had no time for that kinda shite, but dealt with it just the same.

Now it is the "only if I allow it" kinda rule...even then there is a 90% chance of "oh, hell no!".

"has become"? (1, Insightful)

grub (11606) | about 8 months ago | (#45871015)


a reminder that Java has become an Internet security menace

Java has always been a security menace.

Re:"has become"? (2, Insightful)

Anonymous Coward | about 8 months ago | (#45871171)

Not sure if parent is trolling, or just confused.

Most of us know the difference between Java (a perfectly secure language) and the ability to run applets in a browser (a feature that can be exploited if the sandboxing is insecure). It doesn't matter whether we're talking about Java Applets or ActiveX. Hell, even interactive PDF forms have been used as attack vectors.

Re:"has become"? (1)

grub (11606) | about 8 months ago | (#45871263)

I meant running in the browser, not playing Minecraft. That ActiveX or PDF are also insecure doesn't change the fact that Java (in the browser) is shit and always in need of security updates.

Re:"has become"? (1)

Billly Gates (198444) | about 8 months ago | (#45871521)

Anything that executes code or reads it is potentially insecure.

Best defense is always to run updated oses with updates on, do not as root or admin, turn off anything that launches in a browser like PDF and Java. And for heavens sake run Av folks!

I know many say with a smile they run XP with an admin account with an ancient version of ff like 3.6 with no protection whatsoever!! Lord I bet such things have tons of Trojans and key loggers on (ff 3.6 has +40 holes as it is not maintained?!)

Anyway Avast is light and it as well as comodo dragon filter less trusted ad networks. You can disable PDF reader in its preferences and you can keep Java for eclipse but disable it in your browser addons. Done with a limited account, adblockers, Av software and a modern os mixed with shit launching automatically and you are pretty secure.

Dalvik (0)

goombah99 (560566) | about 8 months ago | (#45871197)

Googles contentious rip off of Java is called Dalvik. In what aspects is it different than JAVA for security?

Re:Dalvik (1)

viperidaenz (2515578) | about 8 months ago | (#45871687)

Because there isn't really much wrong with Java, from a security point of view.

The Oracle Java Browser plugin on the other hand, is pretty dodgy.

Re:"has become"? (0)

Anonymous Coward | about 8 months ago | (#45871371)

IE6 and WinXP were the big threat back then, especially in the pre-sP2 days. But for the last few years Java has been the main culprit. 90%+ of the viruses I remove can be easily traced back to something like browsing to a page with Java-based malware.

Back then I used to tell people not to use IE. Using Firefox pretty much took care of virus problem. Nowadays it's "don't install Java". Then again, new versions of the better browsers block it by default, and that's gonna help a lot!

Of course, it's not Java the language that's the problem, it's the annoying browser plugin. Then again, it still comes bundled with other crapware like the ask toolbar that you have to opt out of.

Re: "has become"? (0)

Anonymous Coward | about 8 months ago | (#45872229)

Download the JRE or JDK from oracle.com to avoid annoyware in the installer.

Not Java but shitty Java browser plugins (1)

Anonymous Coward | about 8 months ago | (#45871023)

Java is a much safer language than say C because of the built in checks. It's the proprietary crappy browser plugins that make this kind of attacks possible.

Re:Not Java but shitty Java browser plugins (1)

Jawnn (445279) | about 8 months ago | (#45872379)

Java is a much safer language than say C because of the built in checks. It's the proprietary crappy browser plugins that make this kind of attacks possible.

For 99% of the users out there, that is an absolutely pointless distinction.

Re:Not Java but shitty Java browser plugins (0)

Anonymous Coward | about 8 months ago | (#45872385)

You're only half right. If the plugins were properly isolated, you could compile C onto the JVM and have the same level of security. In fact, tools exist [stackoverflow.com] for compiling C and C++ into bytecode. Your general point is valid though. It's not the language. It's the crappy plugins.

And this is why... (3, Insightful)

bmo (77928) | about 8 months ago | (#45871025)

... using ad blocking and/or host files to deep-six ad networks not only produces a nicer user experience, but it's a valid security measure.

Trusting the web site is not enough. You have to trust the ad network too. Since any Joe Schmoe can buy ad space on an ad network, trusting the ad network means you're trusting Joe Schmoe.

I don't know about you guys, but I don't.

--
BMO

Re:And this is why... (1)

TubeSteak (669689) | about 8 months ago | (#45871325)

FireFox + NoScript replaced my ad-blocker for years

Now, I only find ad-blockers or hosts files to be necessary for handling crap that's embedded in flash files.

/Does Chrome have a proper NoScript equivalent yet?

Re:And this is why... (3, Interesting)

gstoddart (321705) | about 8 months ago | (#45871363)

/Does Chrome have a proper NoScript equivalent yet?

ScriptSafe + DoNotTrackMe + Ghostery + AdBlockPlus are what I have in Chrome.

ScriptSafe does about the same as NoScript.

Re:And this is why... (1)

allo (1728082) | about 8 months ago | (#45872185)

use adblock edge, abp is getting more and more stuff you do not want. read the blog entries from some time ago. Its not only the acceptable ads* stuff, they are working with ad companies at some more points.

* which is a big deal anyway, because one of the first types of acceptable ads were the sedo-typo-squatting ads on misspelled domains.

Re:And this is why... (1)

Arker (91948) | about 8 months ago | (#45872493)

The last I checked there was no way to block scripts prior to download - the best the extension could do was step in after they have been downloaded and parsed and then walk them back out. Not acceptable, not even close.

Re:And this is why... (0)

Anonymous Coward | about 8 months ago | (#45872909)

ScriptSafe does about the same as NoScript.

Do you work for Google? Unless I have missed something or it has changed ScriptSafe is no where near as functionally selective as NoScript. If one is going to enable any scripting at all it should be as selectively minimal as possible and not every fucking script on a given URL. Say for instance you actually want to waste some time and bandwith at Hulu, then with noscript you can enable Hulu.com and Hulumim.com and watch the show without enabling the additional annoyance and spying links wanting you to socialize with them. Of course even with NoScript you may want to remove many of the default whitelisted sites, including the 3 Yahoo listings IMO. AdBlock+, for whatever reasons, doesn't block all the ads in the Hulu video player. That you can take care of via changing the hosts [mvps.org] file. Of course once you do then the Hulu player figures out your blocking the ads and increases the time it waves the "click here to enable ads screen" in your face thus increasing your time to go to the restroom, wash your hands and go to the kitchen to make a sandwich and/or grab a drink.

Oh, and does anyone know why there are only half the blocking options in Ghostery when run in Chrome or just why it is that there is not available a valid substitute for NoScript or NoScript itself? If I have missed something about Chrome and ScriptSafe, please enlighten me as I would love to be wrong just as I would love for their to be a valid substitute for NoScript in Chrome and for things like Ghostery to be as fully functional in Chrome as they are in FireFox. Of course it would be best if none of those addons were even necessary because none of those problems existed or at least the necessary functions were incorporated into the browsers. Until it is then Firefox and its variants are the only options to just completely denying scripting or doing such browsing on a diskless computer etc.

Re:And this is why... (1)

Billly Gates (198444) | about 8 months ago | (#45871413)

Unfortunately Windows 8 and higher ignore host files. You can use avast or Comodo dragon which blocks less trusted ad networks in addition to adblock.

Re:And this is why... (0)

Anonymous Coward | about 8 months ago | (#45871501)

Win8 doesn't ignore the hosts file, but it does protect it from being changed by malware. You just have to disable tracking of the hosts file if you're going to edit it.

dom

Re:And this is why... (1)

perpenso (1613749) | about 8 months ago | (#45871567)

Unfortunately Windows 8 and higher ignore host files. You can use avast or Comodo dragon which blocks less trusted ad networks in addition to adblock.

What Windows 8 does is irrelevant if one takes some old retired PC and installs Linux or *BSD on it and sets it up as a router.

Hosts = superior to browser addons (-1)

Anonymous Coward | about 8 months ago | (#45871549)

Since Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/comments.pl?sid=4127345&cid=44701775 [slashdot.org]

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comments.pl?sid=3985079&cid=44310431 [slashdot.org] w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently - you'll see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts ( A tightly integrated PART of the IP stack itself )

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

To the downmodder of my post (-1)

Anonymous Coward | about 8 months ago | (#45872561)

Technically unjustifiable downmods = "best ya got"? Validly disprove my points on hosts' superiority vs. browser addons noted instead (& even vs. DNS' shortcomings which hosts can fix no less), validly, & on computing tech grounds...

* Good luck - you'll NEED it!

LOL - More like you'll require a miracle since NO 'detractor troll' EVER has validly on computing tech grounds (which is what this IS all about)...

Not even once!

(This stupidity of theirs is a case not of technical ignorance, but rather of recogizing that facts & truth I use are unassailable).

---

Yes, trolls lately DO reply (after logging out of their registered 'luser' account after the bogus downmod they applied), albeit by AC posts only, always illogical & non-sequitur completely off topic complete with failing ad hominem attack attempts - "Gosh, wonder why?" (not) - they've gotten 'spanked' by me SO MANY TIMES they can't handle it & this is their "revenge", lol!

(Makes me realize it's malware makers/botnet masters, inferior competitors, or advertisers doing it - take your pick, but either way? They LOSE - badly!)

In the end it's obvious You can't get the better of my points here, & you KNOW it (Hence your effete downmod but no backing up your b.s. validly).

How can trolls like you LIVE with yourselves?

APK

P.S.=> The funniest part is the troll doing this apparently doesn't know that MOST people here browse well below the default +1 moderation level, & will see my points regardless of the computing technically unjustifiable downmod - especially beneath a highly rated post like BMO's was (parent to mine) & that you're totally unable to disprove my points validly on computing tech grounds - period.

(Thus, You're continually making me stronger in the eyes of others via your reprehensible actions vs. my posts on hosts: New NEWS - people aren't stupid & realize the truth of this statement now too (especially on tech forums))

... apk

Yahoo is getting worse everyday (3, Insightful)

Anonymous Coward | about 8 months ago | (#45871027)

New Yahoo Mail = complete unusable dog shit

New Flickr = complete fuck up! They don't even read user feedback.

New Ad delivery = source of malware! Even porn sites don't do that.

Re:Yahoo is getting worse everyday (5, Interesting)

Anonymous Coward | about 8 months ago | (#45871187)

yep, blocked *.yahoo at the point i noticed them installing psudo-malware with uTorrent (the persistent default search engine replacement software which uses far more CPU time than something that supposedly just monitors search engine settings and resets them to Yahoo should. It was very malware like in it's choice of installation folder too and of course the fact it was both unwanted and self-repairing)

once a company starts doing that shit they end up on my block list, permanently. uTorrent made it too for bundling the crap.

sounds like I dodged a bullet by having them blocked.

Re:Yahoo is getting worse everyday (1)

hyades1 (1149581) | about 8 months ago | (#45871357)

Wish I had a mod point to move you up the food chain a bit.

Re:Yahoo is getting worse everyday (0)

Anonymous Coward | about 8 months ago | (#45871649)

Yahoo calendar - people complained in 2006 that there was no public RSS feed, no API for creating or reading calendar events, etc etc etc.

EIGHT YEARS AGO.

Today? Do a search for a Yahoo Calendar API, it doesn't exist.

Re:Yahoo is getting worse everyday (0)

Anonymous Coward | about 8 months ago | (#45873303)

Yahoo mail on Thunderbird seems the same as other mail services, and I also have CalDav too.

Why do YOU hvae problems with it?

POP is POP, SMTP is SMTP, CalDav is CalDav.

Wut? (0)

Anonymous Coward | about 8 months ago | (#45871073)

you should disable Java (but not JavaScript, a completely separate technology) as a precaution.

I lol'd. Javascript SO SECURE. NO HACK.

Thunderbird is my friend. (1)

couchslug (175151) | about 8 months ago | (#45871151)

I kept my old Yahoo webmail accounts but use Thunderbird to read those as well as Gmail. Avoids dealing with asstastic webmail page layout as well as being bothered with adverts.

Good on you, Yahoo... (1)

DrPBacon (3044515) | about 8 months ago | (#45871175)

If that's the whole statement, then wow... that's really pathetic.

Lemme FTFY (0)

Anonymous Coward | about 8 months ago | (#45871241)

a reminder that Yahoo has become an Internet security menace

Really? (1)

kurkosdr (2378710) | about 8 months ago | (#45871253)

" Fox-IT says it appears to be 'financially motivated" (Insert Nicolaw Cage "you don't say" pic here) Also, Yahoo has the billing info, IP address and username of the fine fellows behind this. Can't they sue them, or at least publish that info? Oh, I forgot, that would be "aggravating a partner" which is bad for the bottom line...

This justifies my habits ... (0)

TrollstonButterbeans (2914995) | about 8 months ago | (#45871265)

For security reasons, this why I only browse the web with Internet Explorer 6 with Java disabled.

Re:This justifies my habits ... (2)

giantgeek (1170007) | about 8 months ago | (#45871463)

The Washington Post cites this incident as a reminder that Java has become an Internet security menace [washingtonpost.com] .

You can read about Java as the Internet security menace in the link above, but first you need to enable Java Script to read the article.

Re:This justifies my habits ... (1)

innocent_white_lamb (151825) | about 8 months ago | (#45871879)

You don't need javascript to read that article. The text and photo are at the bottom of the page. Just scroll past all of the whitespace at the top and you'll fine it.

Re:This justifies my habits ... (1)

thestuckmud (955767) | about 8 months ago | (#45871885)

]You can read about Java as the Internet security menace in the link above, but first you need to enable Java Script to read the article.

That, or disable CSS (e.g. View/Page Style/No Style in Firefox).

Re:This justifies my habits ... (1)

EmperorOfCanada (1332175) | about 8 months ago | (#45871553)

I used Lynx up until 2010 until I realized that it might be compromised. So now just telnet to port 80 and manually send GETs and POSTs.

Re:This justifies my habits ... (1)

Kimomaru (2579489) | about 8 months ago | (#45872727)

Wow, that's hard core.

TY ABP & NS (0)

Anonymous Coward | about 8 months ago | (#45871373)

Close call.

Fools who dont run AV (1)

Billly Gates (198444) | about 8 months ago | (#45871395)

For the idiots who say with a smile they do not run AV software and think they are malware free because they don't click on anything, I told you so.

Some people even on Slashdot do not have a basic understanding of online security. Yes Linux Trojans exist too because like Mac users you all think you are invulnerable.

Basics: if you must use Java disable it in your browsers or put it in intranet zone only if you use IE at work. Disable adobe reader from launching automatically. Use foxit if you can or disable it in browser launching in which I do. Use flashblock and adblock. Even IE has adblock these days. Last do not run a browser with an admin/root account! In Windows I use a separate limited/standard account and do not browse as root in Linux. Doh. Run Windows updates!! But they may break my apps .... Please. I never had an issue and my security is worth it. Do that and these attacks will be plugged 90% of the time.

Do these in addition to not clicking on shit and then your system will be pretty darn secure.

Re: Fools who dont run AV (0)

Anonymous Coward | about 8 months ago | (#45872275)

Please direct me to the AV provider of your choice that prevents zero-days. Because once updates are applied and you don't install software from popup browser windows willy-nilly, there really aren't that many other threats. Only download software from known-good sources, not software.downloadhelper.com that SEOs itself to the top of searches. No AV will protect you from that kind of garbage, and many are paid off to ignore borderline malware/annoyware.

Reminder... (2)

ameline (771895) | about 8 months ago | (#45871399)

> "The Washington Post cites this incident as a reminder that Java has become an Internet security menace."

That should read "The Washington Post cites this incident as a reminder that advertising has become an Internet security menace."

Adblock+ -- part of a sensible security policy.

Yahoo knows (4, Insightful)

EmperorOfCanada (1332175) | about 8 months ago | (#45871457)

The moment that Yahoo allowed advertisers to use java they knew that minimally those ads would be used to annoy the crap out of the users. If your ad is a static picture with a clickable link then you don't need Java. What you need java for is to start prying into the user's business. Animations, sound, geolocations, saving data to the user's machine. So any "legitimate" ad using Java is halfway to being malware already. Plus why use Java instead of Flash? Generally ads should be made by Graphic artist types who are more familiar with Flash. Thus the primary reason to use Java is to access some feature that flash has blocked in Flash.

So if your goal with a Java ad is to circumvent something that Adobe has blocked then it probably should remain blocked. On top of that most users have turned off Java so it can't be to reach a wider audience.

So when Yahoo allows advertisers to use Java they knew perfectly well that the advertisers were up to no good whatsoever. Their acting surprised that some of the scumbags took it even further is total BS.

Basically at this point, anyone who has Java turned on in the browser is the same as having a house with a weeks worth of newspapers stacked up at the front door. Effectively a greeting card inviting the criminals in.

Yahoo doesn't immediately know (3, Insightful)

viperidaenz (2515578) | about 8 months ago | (#45871651)

The ad didn't contain a Java applet.
It directed people to a website that then delivered the malware. Apparently it automatically redirected the browser, but that hasn't been confirmed.

So Yahoo allow Javascript in the ads, not Java.

Re:Yahoo doesn't immediately know (1)

EmperorOfCanada (1332175) | about 8 months ago | (#45871843)

Ah good clarification. So a good policy for yahoo would be if your site uses Java applets there is an 80% chance you are being a tool. I thought the coverage of Java Applet Ads would be pretty poor. I am not sure of the exact stats but with mobile devices growing this number must also be in freefall.

The only legitimate sites that I see where a java applet is a critical feature are older science websites. Astronomy calculators would be a common example.

Personally I am excited about the prospects of asm.js for when you want to put something hardcore in a browser. Something that might have been ported from C++ or some such language.

Re:Yahoo knows (1)

asmkm22 (1902712) | about 8 months ago | (#45873141)

For what it's worth, a big reason they changed from making ads in Flash to Java is because

a. People used to complain about Flash, and how slow and insecure it was.
b. Flash didn't work very well with mobile phones (or at all for a long time).

Thousands? (2)

wonkey_monkey (2592601) | about 8 months ago | (#45871475)

Yahoo Advertising Serves Up Malware For Thousands

The attack, which lasted several days... the infection rate was at about 27,000 infections per hour.

That's nearly 2 million at least. C'mon Slashdot, it's not like you to supply a less sensational headline than necessary.

How is the source unknown? (1)

viperidaenz (2515578) | about 8 months ago | (#45871589)

The source is a Yahoo ad customer. Do they not know who pays them? Or do they not want to lose a paying customer by outing them?

Re:How is the source unknown? (1)

Greyfox (87712) | about 8 months ago | (#45871775)

Perhaps they were paid with a stolen credit card. It's not like those are hard to come by.

Re:How is the source unknown? (0)

Anonymous Coward | about 8 months ago | (#45873211)

Where I live (Germany), installing malware is a crime (called computer theft, data alteration, computer sabotage or somesuch). If Yahoo helped the criminals install malware, that's aiding and abetting. If they also protect the criminal now by not identifying him, that's a crime itself. In principle, someone could and should go to jail for up to three years.

Has anyone sued Yahoo yet? Actually, sueing their CEO personally might move things faster. I bet, if that happened, the source of the malware would be idenfied rather quickly.

One of many such cases (0)

Anonymous Coward | about 8 months ago | (#45871835)

And people still whinge about users installing adblocking software? As far as I'm concerned a computer without adblock (at a hosts file level) is a security risk.

But don't block the ads! (0)

Anonymous Coward | about 8 months ago | (#45871849)

We can't get any money to promote our site if we're not infecting every machine that visits!

But does it run on Linux? (1)

mspohr (589790) | about 8 months ago | (#45871899)

As usual (unfortunately). Both the article and the summary are pathetic examples of journalism which should try to at least inform.
For instance, it would be useful to know (at a minimum) which OSs, browsers, etc are vulnerable, whether any of the virus detection programs will block or remove the malware and what effects the malware has on systems when they are infected.
In other words, this article is just "scareware" warning about some unspecified threat to do something bad to somebody and no idea who, what, when or where.

Re:But does it run on Linux? (2)

asmkm22 (1902712) | about 8 months ago | (#45873193)

Did you even read the articles, or did you just click the first link in the summary and call it a day? The one linking specifically to Fox IT's blog, which is the source of this discovery, goes into great detail about this. They specifically mention the following:

This exploit kit exploits vulnerabilities in Java and installs a host of different malware including:

ZeuS
Andromeda
Dorkbot/Ngrbot
Advertisement clicking malware
Tinba/Zusy
Necurs

Re:But does it run on Linux? (2)

mspohr (589790) | about 8 months ago | (#45873285)

But do any of these run on Linux.. or Mac OSX?
I guess we should just assume that they all run on Windows although the article is silent on this subject.
Does any antivirus program detect or block any of these?
What should I do if I think I have been "exposed"?

Useless articles.

Freaking ad networks (2, Informative)

Dega704 (1454673) | about 8 months ago | (#45872137)

Hence why I advise people to install AdBlock on their browsers. The way things have been for the pas few years, it's probably more effective than antivirus software. (Before you flame me, I am speaking tongue-in-cheek. You really should have both.)

I'm confused... (1)

jddeluxe (965655) | about 8 months ago | (#45872711)

People still visit yahoo's website? How quaint!

Wrong view of security (1)

Sigma 7 (266129) | about 8 months ago | (#45872843)

reminder that Java has become an Internet security menace."

The big three browsers can trivially block Java, through something as simple as "click to play", or "always launch plugins from this site". Any browser that auto-executes stuff by default is broken.

On the other hand, I've had a malware distribution attempt via Javascript. It's certainly designed to attack Chrome, since it wipes the previous page content and URL, replacing it with its own.

Oh, and a trivial Javascript exploit that browsers took 10+ years to fix.

while(true) {alert("haha");}

Learn correct grammar... (0)

Anonymous Coward | about 8 months ago | (#45873199)

"exploited vulnerabilities in Java and installed malware"

"exploited vulnerabilities in Java COMMA and installed malware"

Otherwise it could be taken to mean the the vulnerabilities were also in 'installed malware'. Duh. Americans.

3rd party malware. (1)

Ralph Ostrander (2846785) | about 8 months ago | (#45873431)

Adblock plus. Is all you need to know. In settings dont allow some.

This is the perfect example of why adblock plus (1)

Ralph Ostrander (2846785) | about 8 months ago | (#45873445)

should not default to allow any. Let the use take the risk in allowing do not assume it for me unless your going to pay for my damages.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>