An interesting question was posted to my blog today, a question that is worth discussing in greater detail. The comment asked:
"How is the method [of malicious banner advertisements] for spreading? Vulnerabilities on IE ?"
Ok, here is the succinct answer - the malicious banner advertisements are NOT using a vulnerability in Internet Explorer to hijack visitors. Nor are the malicious banner advertisements using a vulnerability in Firefox when its users are hijacked, nor are they using a vulnerability in any other Web browser.
I place the blame for any "vulnerability" on just two parties - Adobe, and Macromedia before them. This is because the criminals are not using a security vulnerability that can be patched. They are using abilities and features inherent to Flash - abilities and features that CANNOT BE TURNED OFF BY THE END USER.
I said it before - back on December 20 last year - and I will say it again, Flash has turned into the Typhoid Mary of the Internet.
Yes, I know, Flash has recently been updated to address some security vulnerabilities - but guess what, I'm using the latest version of Flash and I'm still seeing a problem with malicious banner advertisements.
The security update for Flash "introduces a new, stricter method for Flash Player to interpret cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files", to which my response is a big, sarcastic "WHOOPPEE". Let's look at how the bad guys work.
Bad guys code a malicious advertisement - the only thing is that all this SWF does is load another Web page, hosted on a malicious domain.
The second web page also has a SWF - and *this* SWF is the one that does the real dirty work - but here's the kicker - the bad guys don't need any "privilege escalation" or "cross domain" attacks to achieve their goals.
Realistically, the only way that we can stop this problem easily is by PREVENTING the very first redirect - preventing that moment when the malicious banner advertisement on a legitimate web page grabs the user's Web browser and dumps it at a different web site.
Does Adobe Flash allow you to set Restricted, Internet and Trusted Zone behaviour? NO!!
Does Adobe Flash throw up a prompt to warn that "an advertisement wants to open a web page - allow/deny"? NO!!
Does Adobe Flash give the end user the ability to turn off redirects? NO!!
Unless and until Adobe gives end users the ability to stop Flash from doing any more than displaying a composite of pretty pictures and sound and motion then, I am sorry to say, the only thing you can do if you want to avoid any risk of being redirected is to dump Flash - if Flash is not installed on your system you will not be hijacked.
Yes, you can use Firefox and add-ons like noscript but let's be honest - nobody wants to "break the web" and if a protective steps "breaks" a web page, then it is human nature to work around that breakage by adding a web site to your "trusted" sites thereby effectively giving the bad guys 'carte blanche' - the protection, whatever it is you may decide to use, must be as seamless as possible and provide minimal user impact - and anyway, how can you decide what is trusted and what is not when *any* web site that uses advertising to raise an income could be infiltrated at any time?
Also, you can block who knows how many malicious domains, hoping that this will protect your site's visitors from malicious redirects - but what happens when the bad guys move on to a new host, and then another one, and another one, and another.
Let me stress this as strongly as I can - WHACK-A-MOLE will not work for you - leave that to me.
Treat the cause, not the end symptom. Test the creatives that you receive. Be choosy. If you're approached at the end of month, and you're trying to make budget, and you're offered a "too good to be true" campaign - or any campaign where the seller reveals a sense of urgency ("we want this to go live asap") - be very very very careful.
Yes, I know you need to make budget - I know that you have sales targets - but I can promise you this ... the bad guys will contact you when you're most vulnerable - when you've got the boss breathing down your neck.
Don't be fooled.