They pack malware code into an alpha channel of the ad image and then use inoccuous looking JS code (which happens to be delivered with the ad) to extract and execute it. This allows them to sneak their goods past the ad network review.
The Flash runtime is big, the API surface is huge and Adobe doesn't feel like it pours a lot of resources into maintenance today. The tech was nice but it should be banned from browsers today.
I just wish i could tell those overly clever "adaptive" video quality systems (HLS, MPEG-DASH) to get out of my freaking way and give me a video file at a given bit-rate.
Oh, of course it is. A complete scripting runtime engine (ActionScript), support for a boatload of video streaming formats including realtime communication, ...
One might say the same thing about browsers - as Flash bloated in scope over time, so do browsers now.
Firefox clocks in at a healthy ~50 MB, as does Google Chrome, for the offline installers - Chrome expands to ~360MB app size, and Firefox to ~180MB (both current versions on OS X 10.11). I won't even get started on the RAM usage - a typical 10-tab session can easily munch happily through 4 GB RAM and more (especially when there are lots of ads).
It's a pity that a 3-year-old netbook (or cellphone) is basically unusable because browsers creep up so much in featuritis :(
Wait, why don't they just ship the evil code right away? If some blocking routine would be able to detect the malicios code as-is, shouldn't it be able to detect this as malicious code? It's code that builds javascript code and evals() it!
You shouldn't need any kind of blocking for that, the browser should block it out of the box.
Yeah, it seems like treating eval() as acceptable would allow for many other less elaborate nasty things. I mean, couldn't you just do eval('edoc dab'.split().reverse().join())?
You mean people at the ad-networks, reviewing the code that advertisers want to use?
Seems like a single occurrence of "eval" should both fail that automatic review AND be blocked by default in all browsers using default security settings.
I think this just shows that ad networks shouldn't be using js at all. Just dumb images. (Yes I know, no tracking then which makes it useless yada yada - deal with it)
Who said anything about including the word "eval"? Javascript is really rather bad for allowing surprising things: eval is possible in just 6 innocuous-looking characters - see http://www.jsfuck.com
Yeah I saw them but didn't quite understand the ones at the bottom e.g."eval". I get the weird type conversions at the top, not how they magically become function calls at the bottom.
Edit: Wikipedia article explains - you can call functions by name with that "filter" thing.
This should be pretty easily blockable though - if you block "eval" then just block most of the obscure jsfuck constructs too.
the jsfuck.js parses the obfuscated string to generate valid javascript code.
One one the patterns that jsfuck.js supports is "run the followin as eval()"
https://github.com/aemkei/jsfuck/blob/master/jsfuck.js
line 282
> You're not wrong, but there are difficult customers with money to consider.
In google's case I can see the conflict - they both make a browser and live off ads. But apart from that minor issue I don't see why browser vendors don't just block "eval()"?
(Also, they have started blocking flash, thank god - so maybe this will all be a thing of the past soon)
If the ads are dumb enough (i.e. you don't count impressions/clicks/conversions etc) then there is also very little room for fraud.
My point is: online ads should become what bus stop ads have always been. You buy a space and display a dumb image. Did it work? You have to do your own A/B testing in half the city. What was it worth? You have to trust those you buy ad space from on how many people read their paper or pass by their bus stop.
I use PHP's eval() for an interactive testing environment on a live smallish server. It's like open-heart surgery, so I agree it's not innocuous. Of course I took care to protect the access. This environment is useful for some quick hacks and tests. If this were a bigger deployment with more at stake, I would remove this environment from the production systems. Because, you know, it's not innocuous.
This isn't a useful answer for you at all, but I thought I'd mention that there are "kind of" innocuous eval()'s such as Angular's eval() [1] where instead of JS being evaluated (which can lead to nasty things), an Angular expression is evaluated, which is a bit safer.
Obviously what I've just said doesn't help solve any problems here, but thought I'd throw it in there anyway :)
Well, it bypasses the spirit, which was to exert some control over what got loaded into the browser via the back door. Now, malicious code can just come in the front door.
I really don't want to block all ads. I want companies to earn revenue from their readers. But this has to stop if I'm ever going to surf the net unprotected.
The nature of people && the Internet && geopolitics && the economy will never allow this within our time. Never surf unprotected. Hell our current protection is lacking and needs further fortification.
Edit: I also think ads are a bad source of income. It's based in psych warfare and in turn is based on toxic adversarial culture.
Ads are as old as media, but that doesn't mean I have to accept them in all possible forms. A Google or Project Wonderful text ad - pure text with a link - is fine with me.
This nonsense, though? I don't remember the last time a classified ad leapt out of the newspaper and stole my grandmother's credit card.
Ad blockers are new, so we don't have to "get used to it". Successfully lowering the amount of incessant ads I am exposed to has increased my sovereignty and peace of mind.
I never understood this argument. It's not like advertisers are going to say "Oh, everyone is unblocking ads. Let's stop using 'sponsored content' then!"
They are going to continue with both sponsored content AND ads. I'm just cutting off one side.
Probably. If only one avenue works, they'd use that one avenue. Doesn't mean we can't fix that problem either. I'd still rather they only have one avenue of attack on me than two.
Sponsored content is preferable to the harassing nature of pop up type advertising. It's also easy enough to avoid the majority of it by simply ignoring mainstream news outlets.
Walt Mossberg interview a year or two back, on Recode. Talking about the problem they had with advertising. Conversation, essentially: "Yes, we'll advertise with you, for two months. Until we se where your users are going on the Internet, other than you, so we can buy ads there for less."
And, of course, the advertisers are eating sky-high fraud rates from many publishers (even legitimate ones, after the ad has been laundered through a half dozen markets and resellers). Off-page display, clickfarm views, even just lying when it comes time to bill.
There's really no one involved who isn't getting robbed at least some of the time.
Yeah, I'd like to receive ads and help the sites I use stay in business. But that industry as a whole is going to have to lock this down before I'll unblock.
My site's advertising is comprised of self-hosted, static images so it isn't impossible. They are also much more relevant than most websites' ads because I target the ads based on the content.
I don't have a problem with cross-origin sharing of things like images, and I believe blocking these would break a lot of web pages.
However, I would quite like cross-origin blocking of things like flash and scripts. After all, that flash program that kicked the whole thing off probably wasn't loaded from the host web site. That seems much more sensible and low-impact to me. It also has a side-benefit of forcing ad networks to fall back to static images, which has to be a good thing.
Most ads are served in iframes, which get their own origin independent of the parent window. Unless you want to block cross origin frames, then this is still a problem.
Actually this is a good idea. Is there a way to make Firefox behave like this? I'm interested how broken the web would become, or if it would actually make the web faster and more usable by only loading content relevant to the website.
I have been using uMatrix in both FF and Chrome for this purpose. Works great once you have some basic rules saved. There are so many web pages that break because they are loading their content from 4 or 5 different sources (not counting ad networks).
More or less than if browsers had blocked Flash say 3 years ago?
Because I think that's the standard. If they can do it for Flash, then they can do it for anything else, too. They just need to set a deadline with a reasonable amount of time before it's reached so that all developers can adhere to the new specs.
I really hate the attitude of "well, too many websites/apps would be broken so I guess we'll never do it, or we'll just wait for the web to collapse first so that everyone agrees we should do it" from "platform" (in this case browser) vendors.
If it's that bad, then just set a 2 year, 3 year, or even 5 year deadline for the change (perhaps with some intermediary progressive blocking, like it's happening for Flash).
It pisses me off because it seems the same is happening with ASLR on Linux [1]. We've had it for 15 years, but nobody is willing to force developers to use it "because it would break things". Screw that. Set a deadline and do it already. If their apps can't make such a change in 3 years, then I could care less that their apps will stop working. Critical vulnerabilities that allow dangerous exploits to happen also "break a lot of things", and not just themselves either, but the firefighting patches that come after them, too.
I have no problems breaking the existing web for a more secure web tomorrow. None whatsoever.
I've been highly irritated by people freaking out that Flash is started to get blocked - despite it being deprecated in those browsers for years. It wasn't exactly a surprise.
But I guess that's the crap that hits us. No one will make a damned change till they're forced to do it right now.
I'm somewhat sick of advertising networks serving malware. JavaScript is Turing Complete, and leaky as hell. There is no safe way to use it for ads, so don't let you clients use it!
The modern web relying on huge megabytes worth of data has led to us needing CDNs and other 3rd party providers.
Anytime a websites uses a 3rd party provider, it opens a hole in itself, and with the insane complexity of a modern browser... That's just asking for trouble.
But asking Google to give up the practices they use to forward their own agendas, like advertising, and their walled garden of AMP, won't happen.
Chrome has the usage that it can exhibit considerable force on the other browsers, and the reverse isn't true.
EDIT: In other words, I completely agree with you, but cry when I see that state of things. Just want that to be clear.
And then networks and publishers complain about users blocking ads. That's why people should block ads served by third parties. It's not just about visual nuisance but security first and foremost.
I have to see warnings for weak certificates, but loading 3rd party scripts is ok by default. When browsers are written by ad companies or beholden to ad companies, this is what you get.
Apple and Firefox (if Yahoo will let them) need to step up and block 3rd party scripts by default. Maybe even Chrome would get in on it if there was special whitelisting for Google's analytics.
That would kill 90% of the web, because people love to load Bootstrap, jQuery and Google ajax crap from 3rd party CDNs. Can we just please get content-based hashing and stop with this JS outsourcing bullshit?
Content based caching would be a massive security nightmare.
All you'd need to do is serve up the same asset as any other site on the web and you could instantly know if the user has been there recently.
No need for tracking at all, just serve this up to people who go to HN, this to the redditors, this to anyone that was recently on 4chan...
Or let's take it a step further. I could reasonably figure out what your user-page on HN looks like to you when you're logged in. I'll serve that up to all my visitors and when I get a cache-hit I know it's you!
Even places that aren't loading crap from 3rd party CDNs put their bundled JS code onto their own CDN that probably has a different origin than the site you're on.
To add to this. You could get the javascript flying for a time before activating it with the image. Effectively inoculating some protection measures to your activation agent.
> Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine.
No, the paranoid developers wanted to use that exploit to check if it was on an analyst's machine. That's an imposed restriction, not an inherent constraint.
If you're an engineer and are fascinated by this subject, I'm interested to hear from you. Our startup specializes in the real time detection and blocking of these malicious ads.
I am not quite sure how they got to running JS on victim's browser in the first place? I would guess any JS being loaded is from ad network. I know IE had this vulnerability where it would ignore MIME type and would guess file type from content (so attacker could server a specially crafted image which would be interpreted as JS), but that should be long patched... Or did they act as an ad network themselves?
The other day there was this article claiming that virus scanners do more harm than good, but in this particular case it's interesting to see that they would have prevented the exploit.
Neat, but not that impressive.