The problem with a drive by web page attack on your PC is that it is very difficult to avoid. All that needs to happen, for your computer to be at risk, is for you to open a web page with your browser. That’s it, even if you haven’t clicked on anything, if the malware code is on the page, and can run, then your computer’s security is at risk. Malware code is increasingly being placed in advertisements and as we all know ads are pretty much everywhere on the web.
From Google Security Blog. http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html
We know not to visit web sites we are not sure about or to click on links we don’t trust. The major problem for us is that web sites we do trust run third party advertisements. Worse still most websites refuse to take any responsibility for the third party ads that they display.
Check out the Terms of Service for your favourite web site and note how it abrogates any responsibility for it’s third party ads. It would be more honest if websites just displayed a banner at the top of every page declaring “You visit this site at your own risk!”.
This arrangement seems all wrong to Polybore. Imagine you bought a brand new car with a disclaimer stating that the brakes were manufactured by a third party so (you) the driver uses them at their own risk. One day the brakes fail but luckily you avoid a serious crash, you complain to the manufacturer they point at the disclaimer, sure they replace the brakes for you but with a new set of third party brakes which, again, they will take no responsibility for. As a customer buying a car you would not stand for it, but as a customer visiting a web site you have to like it or lump it.
So we visit our trusted site like BlogCatalog and thanks to the malware code in a third party ad they have been served, zap our security is compromised. Sure BlogCatalog “solve” the problem by removing the malware infested ads but then they go them with another set of third party ads which, again, they will not take responsibility for.
If Blogcatalog are not taking responsibility for their, potentially malware, ads does that mean they don’t care about the security of their visitors? In a previous post Polybore wrote about contacting Blogcatalog with the suggestion that they inform their members of the time frame that they were serving the Malware ad and to advise members who visited during that time to scan there PC for virus and spyware. A perfectly reasonable request.
Well three days have passed and no response. Visit this Polybore post to see how the story started. http://polybore.blogspot.com/2009/03/blogcatalog-gets-hit-by-malware-trojan.html
Polybore does not want to give the impression of being down on BlogCatalog, other popular and trusted web sites have been caught out by third party malware ads as well. Polybore visits BlogCatalog regularly (and likes it), so Polybore’s security was put at risk. This makes, for Polybore, the BlogCatalog malware incident rather more real than other incidents that have occurred and therefore the best example that Polybore can use to illustrate this threat.
Polybore is not alone in taking this view. See this post on the IBM security blog that Polybore found while looking for sources to back up this post. (by coincidence it is scarily similar to this post but Polybore’s analogy is better) http://blogs.iss.net/archive/InfectedAdvertising.html
Ok we have established that drive by web attacks are a serious threat to our security and that they are very difficult to avoid (unavoidable?).
Unless websites tighten up their act or are forced to take responsibility for their ads then we have to assume that we can’t trust any website to offer any sort of security guarantees regarding their third party ads in effect, rightly or (Polybore thinks) WRONGLY websites currently leave their customers security against malware distributing third party ads entirely to the customer.
This article at Tweak and Tune also discusses the threat of Malware and details security measures we would all be wise to employ. Peter mentions keeping your software up to date as an important security measure.
Polybore would like to emphasise the importance of keeping your software updated. The criminals who write this malware code are always trying (and sometimes succeeding) to evade detection by anti- spyware/ anti- virus software. To do this they can use code in binaries, which are harder for anti- malware software to spot and intercept, that target specific weaknesses in your software applications. When software makers like Adobe Flash identify these possibilities for exploit they patch or update to remove the threat. Much of the malware out there relies on people not updating their software.
More detail on Flash based Binaries malware attack. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1341749,00.html#
Because people have so much software on their computer, Java, media players, Flash etc it is difficult to keep tabs on how up to date they all are and sometimes these programs are not that good at automatically updating.
For that reason Polybore strongly suggests you try out the Secunia Online Software Inspector (OSI). http://secunia.com/vulnerability_scanning/online/
This extremely useful tool will highlight software on your PC which needs updating. When Polybore first used it it was an eye-opener how many needed updating on Polybore’s computer, especially as Polybore makes a point in trying to keep updated.
Stay safe and, if you can, put pressure on websites to get their act together regarding the third party ads they display.