Banner Ad on Myspace Serves Adware to 1 Million 390
An anonymous reader writes "Washingtonpost.com's Security Fix blog reports that a banner ad running on MySpace.com and other Web sites used a Windows security flaw to push adware and spyware out to more than one million computer users this week. The attack leveraged the Windows Metafile (WMF) exploit to install programs in the PurityScan/ClickSpring family of adware, which bombards the user with pop-up ads and tracks their Web usage."
I love how the submission links the comments (Score:5, Insightful)
Woohoo!! (Score:1, Insightful)
Re:The rise and fall of myspace (Score:1, Insightful)
The internet is a fad. It is a fad that may be here for a long time, but it too shall pass. This type of abuse, as well as the abuse by sexual predators and antagonistic peers will eat away at its usefulness until it is outlived and replaced by the new "cool" thing.
Comment removed (Score:5, Insightful)
Slashdot one-ups Washington Post moderators (Score:2, Insightful)
Re:First time? (Score:5, Insightful)
Yes, and you're 100% right. Since they are syndicating it, showing 'due diligence' in making sure they aren't syndicating harmful code is their responsibility.
The question comes down to , reasonably, what is a good percentage to equate with 'due diligence' in checking what they syndicate. They have a few million pages, videos and photos to police, as well as watching what their advertisers are using their network to display.
So even if they go way above and beyond the 80% catch rate of abuse prior to it leaving their network, stuff like this is still going to happen. I'd imagine they only catch about 70% of illegal use involving their network, and considering its size and attractiveness to bad-doers, that's not bad.
Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?
I am also noting a rather old vulnerability was exploited, and people not updating their systems need to share some of the blame.
So I guess in essence
Re:Just update (Score:4, Insightful)
Re:Prosecute the "sellers" too (Score:4, Insightful)
Only if Myspace knew what was going on (which they almost certainly did not). Or do you think any business transaction with criminals is 'akin to aiding and abetting'? In which case, shouldn't you also prosecute
Re:DNS Ad-blocking (Score:2, Insightful)
Prosecute MySpace (Score:4, Insightful)
You mean like the government wants our ISPs to track and monitor our web usage and keep copies of all our IM's, searches and emails? Or how about our libraries revealing what books we check out? Maybe AT&T could provide a log of all your phone calls. How about the banks reveal all your financial transactions?
Oops, I forgot - the Patriot Act, among other obscure laws, already allow this.
Innocent until proven guilty no longer applies in the land of the free - why should it apply to corporate America any different? Oh yea, I forgot, they own the politicians.
Why can't Microsoft patch the holes in it's software? Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?
If it's ok for the government to be constantly running background checks (illegally I might add) on it's own citizens in a 'FREE' country, then MySpace should also be responsible for spreading viruses and spyware. Of course, they won't ever have to answer for it. News Corp may as well be owned by the GOP...
Re:Virus/adware-spreading ads (Score:5, Insightful)
The problem is with the ad-serving companies that these websites use. Either they're less-than-trustworthy, and are directly responsible for the exploits being used, or they sub-contract out, and don't care enough to keep an eye on their "partners". Usually, notifying the webmaster of the offending site is enough to get them to have a "talk" with their advertisers to resolve the situation.
Of course, you probably already know this, but it bears repeating as it's something that can be missed by people not familar with the subject.
Please, won't someone think of the n00bs?
is myspace responsible for their site or not? (Score:5, Insightful)
Only if Myspace knew what was going on (which they almost certainly did not).
I'll make this very simple for you: Is myspace responsible for the content they put on their site, or not?
When you are a website the size of myspace, failing to vett your advertising borders on gross negligence and incompetence.
Furthermore, if you study how 'responsibility' plays out in the business world, particularly with lawsuits- the first party on the food chain is responsible. If that company wants to take action against its employees, suppliers, etc- so be it. But the buck, figuratively, stops at "round one".
Re:Prosecute the "sellers" too (Score:5, Insightful)
This is different. This is the business putting up an advertising hoarding that is dangerous to visitors. The business already vets its adverts (so no porn), so it has the duty and capability to vet its adboards for viruses, just as if it was hosting auto-install viruses on the front page in their own webspace.
Just because it subcontracts the advertising out to a third party doesn't get myspace off the hook, any more than a bank with a beartrap inside the front door wouldn't be liable because their builders put it there.
Re:The shocking part is.... (Score:3, Insightful)
Why is this shocking? Windows has the highest market share and comes pre-installed on way more than the majority of pre-built computers. It is what people are used to using since it is the OS that most people started out on, so the majority of people are more comfortable using Windows since they don't have to learn something new. A lot of people also just don't know any better. They don't realize or care that there are other OS's available, as long as they can surf the web, check their e-mail, use MS Office applications, and play their games what incentive do they have to move to anything else?
The package management system is horribly antiquainted, the dependancy checking leaves a lot to be desired, and then there are the security holes in the stock applications that come with the OS.
Oh, sounds a lot like linux (although it has gotten better recently). I am not a fan of how Windows goes about these things either, but I must say that I have had much more frustrating times with dependency and package management problems on linux than on any Windows machine. On Windows it usually goes like this:
1) Try and install upgrade to software.
2) It doesn't work.
3) Uninstall software package completely.
4) Reinstall software.
5) It magically works.
Yes, it is horrible that a lot of upgrades work that way but at least that is usually all that is needed. With linux on the otherhand I have literally had to spend days sometimes trying to get packages upgraded/working properly, even with Yum and other package handlers. One pain in the ass that I remember off the top of my head was when I was trying to upgrade some Perl MySQL module after upgrading the MySQL server, it literally took me 3 hair pulling days to finally get everything working right and the whole problem was caused by an error with CPAN (I can't remember exactly right now what the error was).
If I had to direct my 91 year old grandmother over the phone how to install some software I would much prefer she be running Windows than linux. It would be great if everyone ran linux but I think you are getting ahead of yourself if you honestly believe that it is easier to use than Windows. Now if you are a Mac guy then you could be right, but I have very limited Mac experience.
Linux is also not immune to having stock applications that have security holes and need to be patched right away, Windows is not alone at all in that regard either. After freshly installing either Windows or linux I have to go through the process of applying the needed patches on both.
Maybe some day it will mature enough to be useful, but for now it's just a novelty that still isn't up to being used in a production environment.
If you play games then Windows is very useful since the majority of games are developed for the Windows platform. It also can be made pretty damn secure as long as you lock it down reasonably well, I have not had any problems at all for the last 4 years on my Windows XP Pro boxes at work or home. My work box also is very useful for Windows development, so it is not just a "novelty" and actually is up to being used in a "production environment".
I don't know what OS you use but you really need to get over your zealotry, you just sound like all of the other zealot sheep who love to rip Windows to pieces even though it does have some useful purposes that they always fail to acknowledge. Windows has its quirks (and quite a few) but so does every other OS that I have used.
Re:Prosecute virus creating companies. (Score:5, Insightful)
Speaking personally, I generally block ads that are misleading, flashy and/or distracting. I've lost count of the number of times an otherwise perfectly good webpage has been ruined (aesthetically) by an in your face ad.
Anything that attempts to look like a system dialogue, or to convince me that my PC is running slowly and needs to be fixed, etc, gets the entire advertiser's domain and sub-domains blocked. I hate that shit.
Re:This comes right after a Flash hack (Score:3, Insightful)
Sorry try again after you RTFM RE: security issues.
Its the Ad, not Myspace (Score:2, Insightful)
Myspace isn't at fault and neither is Microsoft
Sure they make shitty products for the below average user, but that isn't the problem. Myspace administrator's don't choose exactly which ads are dissplayed on their pages, they sell their ad space to an ad company with a few constraints on what types of ads are allowed to appear. The company who provides the ads then chooses specifically which ads it wishes to display on each of Myspace's, and for that matter, hundreds of other web site's web pages. And the users who didn't update their Windows OS arn't any more at fault either. Is it my fault if I leave my window unlocked and I get robbed because of it? No.
Another important note:
Myspace users were not the only one affected by this banner ad
So enough with the flame wars, go fuck the adware companies that are fucking everyone over.
Re:This comes right after a Flash hack (Score:3, Insightful)
I figure it's good training for when they have to go off to college away from their MCSE/Linux Geek/Ex-BBS sysop dad.
MySpace Hate (Score:2, Insightful)
Re:Prosecute the "sellers" too (Score:3, Insightful)
So why do you then say MySpace should be held responsible?
Look.. the visitors are not MySpace's clients.. the visitors are the product (and if they aren't the product, then at best they are leaches.. they would never be considered a client, since they don't give MySpace a dime).
MySpaces clients are those who give it money.. ie: the advertisers.
Re:Just update (Score:3, Insightful)
Re:Firefox with Adblock? (Score:4, Insightful)
err - he's Rupert Murdoch. If he wasn't going to "make millions off of that company" he wouldn't of bothered with it.
Re:Prosecute virus creating companies. (Score:5, Insightful)
Re:Really?? (Score:3, Insightful)
Re:Prosecute virus creating companies. (Score:5, Insightful)
This works for the same reason that spam works - it's cheap to do, and only a few stupid people need to click on the ads for them to be making money again.
Re:First time? (Score:3, Insightful)
'Due dilligence' in schools, for example, may not be assuring no single kid ever smokes crack, but it certainly is making sure the school bus driver doesn't.
Re:Prosecute virus creating companies. (Score:5, Insightful)
I have to disagree with both of you. People block ads not because of risk, not because they take up too much bandwidth and processor power, but because they take up too much attention. People want to pay attention to the real content, not wade through fake distracting crap that wants to sell them something.
Aren't there antihacking laws that apply? (Score:4, Insightful)
Tampering with 1 million computers without permission and AFAIK without good reason. Isn't that a serious criminal offense?
That's what annoys me the most about all those "antihacker" crusades. Don't the same laws apply to spyware, unauthorized adware etc? Even Sony's DRM crap.
But no, the FBI and other authorities round the world seem to prefer trying to jail people who are pretty harmless (like that brit looking for UFOs).
If directors/owners of companies doing such stuff were sent to jail (or even seriously threatened with jail), you'd see a lot less spyware or nasty adware around.
Instead there's one law for the small stupid amateur and another law for the incorporated pros.
And that is the real reason why there's so much spyware around. Not because users are clueless (even though they are) or click on attachments without thinking.
Re:Prosecute virus creating companies. (Score:5, Insightful)
Re:Prosecute virus creating companies. (Score:3, Insightful)
Good Job (Score:2, Insightful)
Re:Virus/adware-spreading ads (Score:3, Insightful)
I've never known them not to
What I get a kick out of is how they like to tell you they have no way to contact them and there's nowhere you can complain to.
Um... you're getting a CHECK from them every month, remember? (we know you're not allowing that crapware on your site for free!)
Excuses, excuses (Score:3, Insightful)
Funny, that's the same kind of excuse spammers use. "Oh, I'm not a spammer... I purchased this list of e-mail addresses in good faith, how was I to know they weren't all 100% verified opt in like the seller said?"
It's also the same excuse The Pirate Bay use. "Oh, no, we're not responsible... we just provide a service which other people use to serve up illegal content."
Re:Prosecute MySpace (Score:3, Insightful)
No, not really...
I'm scared to ask, but how does your conspiracy theory reason why the government would want ISPs to monitor all that information, when the government itself really wouldn't have any trouble doing it themselves?
"Why can't Microsoft patch the holes in it's software?"
They do. Users just don't always install the patches.
"Why can't MySpace screen it's advertisers? They aren't showing porn site ads, because they 'screened' the ads, correct? So, how come they are serving adware?"
What part of 'hidden in the ad' did you not get?
Spyware common on MySpace (Score:2, Insightful)
Re:First time? (Score:3, Insightful)
Of course its an age old argument, who is most at fault. The person who shot the gun or the company that provided it?
More like the age old argument, is it illegal or not. Sadly the facts are that this event is not a criminal event, the police won't be getting involved, and no one really cares. Not the infected users, not myspace, and not the advertisers. This is just more roadkill on the information superhighway. Nothing to see here, please move along.
Re:This comes right after a Flash hack (Score:3, Insightful)
You gotta love laziness! You know the weird thing is that is most likely the best thing that he could have done to "fix" his problem. I'm on several security mailing lists and get notices of all the holes in nearly everything. Do you want to know the real dirty secret? That process is worthless to me unless they happen to be announcing a patch to the product that fixes the problem. There is little to nothing he could have done if his problem was in a piece of software that he runs but doesn't write himself. About the only thing that, he could do to speed up develop of a patch is pray. Suggesting to users to update their flash players after a flash hack sounds like it should be a valid solution if the problem was in the vast majority of user's outdated flash players.
Re:Virus/adware-spreading ads (Score:3, Insightful)
The problem is with the ad-serving companies that these websites use."
The Dilbert website serves ads from these companies, therefore the problem's resolution is ultimately the responsibility of the Dilbert website.
I don't blame the ad-servers just as I don't blame wild animals for mauling tourists. It's in their nature