Malicious Advertisements
On November 2, 2007 I had the opportunity to participate in a panel at the Federal Trade Commission on the future of online behavioral advertising. While this topic is not one that is normally associated with information protection issues, there are some interesting implications that I touched upon at the panel and that I thought I’d reiterate here.
First, let’s think about some of the overall trends related to Web advertising. To begin with, the Web has certainly exploded in popularity and people are spending more and more time each day surfing their favorite sites.
Second, online advertising has proven itself to be a viable business model for many companies. Countless Web sites display ads that are viewed by an even greater number of people.
Third, along these same lines the online advertising supply chain is fairly complex. In the simplest incarnation, an advertiser might work with an ad network who will arrange to have the ad published through one or more content publishers. In a more complex, but still quite common incarnation, an ad network might work with a syndicator (and the syndicator might work with sub-syndicators).
Fourth, advertising itself has become very rich. While text-based advertisements are still popular, we are definitely seeing more fancy ads that use technologies like Flash. The reality is that an advertisement is more than just ad – it's a small piece of software that runs on your machine in the context of your Web browser.
And finally, browsers are becoming more complex. In addition to the core Web browser, people often enhance their Web experience through one or more plug-ins. For example, Flash is enabled on a Web browser through a plug-in.
This increase in prevalence combined with the increased complexity makes online advertising a ripe target for attackers. Since an advertisement is a piece of software, there is potential for that software to be malicious. One example that I blogged about previously involved a social networking site, a little over a year ago. One of the advertisements they served took advantage of a well known Windows vulnerability. Over a million people saw the advertisement. Although the vulnerability was known, and although a patch had been issued, it’s likely that many people who viewed the ad didn’t have their patches up to date. In these cases, companies are otherwise innocent bystanders since the advertisement content itself is being provided by the ad network.
Along the same lines, anything one can do in a scripting language like JavaScript can also be done in Flash. So, in principle, Flash-based advertisements can implement the kinds of attacks possible through malicious JavaScript. These include scanning internal network hosts and drive-by pharming.
\What makes attacks leveraging online advertising especially powerful is that it is entirely possible for an otherwise trustworthy, popular, and well-meaning site to host an advertisement containing malicious code. While there have thus far only been a few instances of malicious online ads, I expect it to be a growing trend.
The unfortunate moral here is that there are no real safe locations on the Internet. That shouldn’t stop you from surfing the Web but merely realizing that if you do so it’s important to be protected. Recognizing that these types of issues would come up, Symantec has built a number of excellent Web-browsing protections into our 2008 products, which were launched recently.
Posted by Zulfikar Ramzan on November 27, 2007 05:00 AM