Tuesday, February 05, 2008 9:52 PM sandi

Internet Explorer is NOT to blame for the Flash advertisement problem !!

An interesting question was posted to my blog today, a question that is worth discussing in greater detail.  The comment asked:

"How is the method [of malicious banner advertisements] for spreading? Vulnerabilities on IE ?"

Ok, here is the succinct answer - the malicious banner advertisements are NOT using a vulnerability in Internet Explorer to hijack visitors.  Nor are the malicious banner advertisements using a vulnerability in Firefox when its users are hijacked, nor are they using a vulnerability in any other Web browser.

I place the blame for any "vulnerability" on just two parties - Adobe, and Macromedia before them.  This is because the criminals are not using a security vulnerability that can be patched.  They are using abilities and features inherent to Flash - abilities and features that CANNOT BE TURNED OFF BY THE END USER.

I said it before - back on December 20 last year - and I will say it again, Flash has turned into the Typhoid Mary of the Internet.

Yes, I know, Flash has recently been updated to address some security vulnerabilities - but guess what, I'm using the latest version of Flash and I'm still seeing a problem with malicious banner advertisements.

The security update for Flash "introduces a new, stricter method for Flash Player to interpret cross-domain policy files. These changes could help prevent privilege escalation attacks against web servers hosting Flash content and cross-domain policy files", to which my response is a big, sarcastic "WHOOPPEE".  Let's look at how the bad guys work.

Bad guys code a malicious advertisement - the only thing is that all this SWF does is load another Web page, hosted on a malicious domain.

The second web page also has a SWF - and *this* SWF is the one that does the real dirty work - but here's the kicker - the bad guys don't need any "privilege escalation" or "cross domain" attacks to achieve their goals.

Realistically, the only way that we can stop this problem easily is by PREVENTING the very first redirect - preventing that moment when the malicious banner advertisement on a legitimate web page grabs the user's Web browser and dumps it at a different web site.

Does Adobe Flash allow you to set Restricted, Internet and Trusted Zone behaviour?  NO!!

Does Adobe Flash throw up a prompt to warn that "an advertisement wants to open a web page - allow/deny"?  NO!!

Does Adobe Flash give the end user the ability to turn off redirects?  NO!!

Unless and until Adobe gives end users the ability to stop Flash from doing any more than displaying a composite of pretty pictures and sound and motion then, I am sorry to say, the only thing you can do if you want to avoid any risk of being redirected is to dump Flash - if Flash is not installed on your system you will not be hijacked.

Yes, you can use Firefox and add-ons like noscript but let's be honest - nobody wants to "break the web" and if a protective steps "breaks" a web page, then it is human nature to work around that breakage by adding a web site to your "trusted" sites thereby effectively giving the bad guys 'carte blanche' - the protection, whatever it is you may decide to use, must be as seamless as possible and provide minimal user impact - and anyway, how can you decide what is trusted and what is not when *any* web site that uses advertising to raise an income could be infiltrated at any time?

Also, you can block who knows how many malicious domains, hoping that this will protect your site's visitors from malicious redirects - but what happens when the bad guys move on to a new host, and then another one, and another one, and another.

Let me stress this as strongly as I can - WHACK-A-MOLE will not work for you - leave that to me.

Treat the cause, not the end symptom. Test the creatives that you receive.  Be choosy.  If you're approached at the end of month, and you're trying to make budget, and you're offered a "too good to be true" campaign - or any campaign where the seller reveals a sense of urgency ("we want this to go live asap") - be very very very careful.

Yes, I know you need to make budget - I know that you have sales targets - but I can promise you this ... the bad guys will contact you when you're most vulnerable - when you've got the boss breathing down your neck.

Don't be fooled.

Filed under: ,

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Tuesday, February 05, 2008 10:43 AM by Barry

Personally, I've uninstalled Flash *and* use Firefox with Noscript.  Belt and suspenders keep your pants up.  Still, I'll agree, Noscript isn't for those with weak computer kung-fu.

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Tuesday, February 05, 2008 4:22 PM by Paul

>> Realistically, the only way that we can stop this problem easily is by PREVENTING the very first redirect - preventing that moment when the malicious banner advertisement on a legitimate web page grabs the user's Web browser and dumps it at a different web site.

And so, why isn't this a checkbox option on IE??

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Tuesday, February 05, 2008 4:30 PM by sandi

@Paul,

Because it is *Flash* that is opening the Web page, using IE.

Do you really want Microsoft / Internet Explorer to be able to control the actions of third party software to such an extent?  Imagine the lawsuits.

Nope - it's up to Adobe to give users a way to control the behaviour of Flash - not Microsoft.

Sandi

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Tuesday, February 05, 2008 10:28 PM by Mark Odell

> Because it is *Flash* that is opening the Web page, using IE.

If IE7's vaunted sandbox isn't stopping this, then had you considered the possibility of running Flash Player inside IE7's sandbox?

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Tuesday, February 05, 2008 11:39 PM by sandi

The Sandbox (aka Protected Mode) is Vista only, and is dependent upon UAC *not* being disabled.

I do not believe it will save users from social engineering attacks anyway.  They'll still get redirected, and they'll still be fooled or scared into installing fraudware.

Remember that Protected Mode/Sandbox is designed to protect us from *involuntary* malware installs - what is commonly called "drive by downloads" - it is not designed to stop people from clicking on the button in the scary dialogue box - and it's not designed to prevent the Flash redirect in the first place.  If Microsoft were to make an executive decision and cripple Flash functionality in such a way the screams would be deafening.

IE has protected users from drive by downloads ever since the infobar was introduced and IE stopped automatically installing activex controls without permission - and sadly that change has *not* stopped the growth of the fraudware we are facing today because the criminals are depending on social engineering to get the users to accept the installation.

Again, it is up to Adobe to give the user a way to stop the redirect from happening in the first place.  End users are effectively helpless unless they make the choice to go without Flash.

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Wednesday, February 06, 2008 3:36 AM by Donald

Reading between the lines, Flash opens the malicious page in the Trusted Zone for IE users where the page can install malicious software by drive-by download, but Firefox users are only exposed to a social engineering attack.

Is that correct?

"This is a social engineering attack as well as a drive-by download."

www.scmagazineus.com/.../104827

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Wednesday, February 06, 2008 2:20 PM by And Clover

Whilst Firefox's Noscript is probably not suited for civilians, I can wholeheartedly recommend the Flashblock extension. It's not just good against obnoxious ads, but also against unwanted CPU-hogging animations and unexpected loud noises.

And with a single click to activate blocked Flash files, it breaks almost nothing and is usable for everyone.

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Wednesday, February 06, 2008 10:40 PM by sandi

@Donald,

The 'reading between the lines' is incorrect. There is no security elevation of any type happening, nor is Flash about to add sites to IE's Trusted Sites Zone.  

Flash is not able to open a page in IE's Trusted Zone **unless the domain was already in the TZ*

Sandi

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Thursday, February 07, 2008 2:45 AM by Donald

Thanks Sandi, but where does the drive-by download come in? That implies malware is installed without the user clicking 'yes' to anything. Is that in the unlikely circumstance that the user has the malicious domain in the Trusted Zone?

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Thursday, February 07, 2008 1:24 PM by Jake

I think the first thing to be done is to remove flash from the computer.

The second thing is Adobe should get this fixed ASAP.

Only problem I see is with some websites using flash for their navigational purposes, but OTOH if the designers of these sites choose to use flash for that and no fallback build in, then they do have a problem, namely some leaving visitors.

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Friday, February 08, 2008 7:51 AM by I User

Ad networks block adverts with dodgy javascript / html / images in them.  If they are willing to collect the lucrative revenues for serving flash advertisements, they should vet for dodgy flash swfs too.

Block the ad networks you don't trust.  There are plenty of tools to do that.

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Friday, February 08, 2008 3:56 PM by sandi

@Donald,

Yes, the malware/fraudware *can* be installed on the user's computer without the user clicking 'yes' to anything **depending on the web browser version being used, and the security settings of the later browser versions**.

I think that in the current browser security environment it is social engineering that is more successful in getting this fraudware on to machines.  Victims believe that the 'you are infected' dialogue box is accurate, they believe the scan results and they pay for the fraudware software.

I have seen it mentioned that "winfixer" has earned $130 million in revenue for the people behind the fraudware - that is a *lot* of successful social engineering at between $20 and $70 per install.

@Jake,

Yes, there are some sites that use Flash for navigational purposes but that could theoretically be addressed by a 'mouseover' wherein as soon as the person goes to use the Flash navigation menu, they see an alert telling them that the navigation menu needs to be enabled (like the "click to activate and use this control" message seen by IE users when they encounter active content on a web page).

Sandi

 

# re: Internet Explorer is NOT to blame for the Flash advertisement problem !!

Friday, February 08, 2008 3:57 PM by sandi

@all,

The 'mouseover' event could also be used to prompt for a redirect on a Flash ad.

That way, advertisers could still open web pages via Flash, *but* they would only be able to do so when the user clicks on the advert.

Sandi

Leave a Comment

(required) 
(required) 
(optional)
(required)