| By Scott Dunn |
A Flash-based advertisement that appeared last week on the USA Today site downloaded malicious code to users’ computers, generating erroneous warnings of a malware infestation and offering a phony solution.
The Flash vulnerability is so widespread that such “malvertisements” may be present on thousands of sites, but there are measures you can take to reduce your exposure.
Just opening the page puts you at risk
Visitors to USAToday.com last Thursday got more than they bargained for. A hacked Flash advertisement meant that merely viewing a page in your browser was capable of triggering a malware attack on your PC. According to an alert on the security site Websense, the ad can take control of the browser without any user interaction at all.
Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!
Subscribe and get our monthly bonuses - free!
The Windows 7 Guide, Volume 3: Advanced maintenance and troubleshooting provides advanced tools for keeping Microsoft's premier operating system up and running smoothly. Get this excerpt and other 4 bonuses if you subscribe FREE now!
Two days after the ad appeared on the USA Today site, two prominent Utah-based news sites, DeseretNews.com and SLTrib.com, were found to have similarly dire banner ads. These ads directed users to various unexpected locations, including the site for AntiSpywareMaster. This destination has been called a “corrupt anti-spyware parasite” and a “fake program” by the RDV Group, a safe-computing organization.
News sites aren’t the only victims of what Sandi Hardmeier, who authors the blog Spyware Sucks, calls “malvertisements.” The ads themselves may appear perfectly harmless, notes Hardmeier, who’s been recognized as an MVP (Most Valued Professional) by Microsoft. “The criminals behind such malvertisements . . . have no shame,” she writes, “impersonating everything from WeightWatchers to Oxfam.”
Advertisements are not the only source of the problem. The principal conveyors of this malicious code are Flash animations (or .swf files), which are commonly used to create intro screens, online video, and other Internet content in addition to Web ads.
Of particular concern are Flash files that are vulnerable to insertion of malicious code using a technique called cross-site scripting, or XSS.
This vulnerability was widely publicized earlier this year by Google researcher Rich Cannings and his co-authors in their book Hacking Exposed Web 2.0: Web 2.0 Security Secrets and Solutions. According to a report in the U.K.–based tech-news site The Register, a Web search revealed more than 500,000 vulnerable files on major Web sites.
| UPDATE 2009-10-08: In her Oct. 8, 2009, Top Story, Susan Bradley reports on the appearance of malicious ads in the sponsored links accompanying search results in Google, Bing, and Yahoo.|
A permanent fix is a long way off
Makers of Flash-building tools, including Adobe, Autodemo, TechSmith, and InfoSoft, quickly updated their development environments to patch the holes, according to a March story in The Register. But because many of the vulnerable files have to be regenerated from scratch, a titanic number of high-risk Flash files remain online.
Speaking at last month’s CanSecWest security conference in Vancouver, B.C., Cannings estimated that over 10,000 sites host the risky files, The Register reported.
But that estimate may be low. In his security blog, Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, writes that “potentially hundreds of thousands” of Web sites could be at risk. “Reasonably workable fixes are going to be a long time coming,” he adds.
Even diagnosing the problem can be a challenge, notes Spyware Sucks’s Hardmeier. She points out that advertising commonly appears on Web sites in one of two ways: either the Web site’s staff handles its own advertising and posts the ads directly, or the site is served ads from an advertising network, which typically manages the content.
Unfortunately, it isn’t always easy for sites or advertising networks to detect problem ads. “Malvertisements are coded to exclude particular IP addresses, cities, states, and even entire countries,” Hardmeier explains. “It is standard operating procedure for a malvertisement to be coded so that it will not trigger a redirect if displayed on a computer within the IP range of the victim Web site or victim advertising network.”
What you can do to protect yourself
Even though the long-term solution is for the providers of Flash-based content to create more-secure versions of their files, there are some measures users can take to protect themselves. These protections are not foolproof, but they at least reduce the risk of exposure to malware via compromised Flash files.
Some of these tips come from Andre Gironda, Secure SDLC Consultant and author of the ts/sci security blog, who posted his pointers in a comment to Grossman’s blog posting.
The no-Flash option
The most effective – albeit drastic – way to protect yourself from malware-bearing Flash files is to uninstall Flash entirely. Adobe provides a special tool for doing this; you can find instructions and a link for downloading this file in a Technote published on the Adobe site.
The part-time-Flash option
If going without Flash entirely is too extreme, you can limit the sites that use this and other risky plug-ins by installing free browser add-ons that let you manage active Web content more granularly:
For Internet Explorer, TurnFlash lets you toggle between blocking Flash files and allowing them to run. A tray icon lets you turn Flash on or off, but the setting takes effect only in any new IE windows that you launch, not in the existing browser window.
A similar utility called No! Flash also switches Flash on and off, but it also gives you the ability to turn off several other elements, such as Java applets and other scripts. As with TurnFlash, the changes take effect in the next IE window you open.
For Mozilla Firefox, a plug-in called Flashblock disables all Flash content on Web sites and replaces it with a round Flash logo. You can selectively enable Flash files by clicking their icons.
For more comprehensive security, the plug-in NoScript not only disables Flash but also turns off Java, Silverlight, and other active Web elements. A NoScript icon in the Firefox status bar provides a pop-up menu for adding a site you trust to the add-on’s “whitelist,” which enables all scripts and animations on the site (but not necessarily those on the site’s pages that are served up by ad networks). You can also right-click a link in Firefox to set its NoScript options via the context menu.
The minimal option
At the very least, update the Flash Player software on your system to the latest version (126.96.36.199 or higher). In the last three months, Adobe has patched a number of security holes in this product. The update won’t protect you from all buggy Flash files on the Web, but it will make your browsing much safer.
You can download the latest Adobe Flash Player from the Adobe Web site.
After you install the update, run the free Secunia Software Inspector online malware scanner to find old versions of the Flash Player that may have been left behind on your system. Secunia’s on-screen report will show the path and filename of the old files you need to delete. You may have to run the inspector more than once to make sure all the old files are deleted. If you delete a needed file by mistake, simply run the newest Flash Player installer again to correct the problem.
One danger posed by Flash bugs is the ability of hackers to get your login credentials for a given site. Andre Gironda recommends creating multiple Firefox profiles, each with its own NoScript (or, if you prefer, Flashblock) settings. He uses his Flash-enabled profile to browse sites such as YouTube, but he exits that browser and launches his Flash- and script-blocked copy of Firefox when he conducts online banking and visits other sites that require logins.
To set up a Firefox profile, do the following:
Step 1. Choose Start, Run. Type cmd.exe and press Enter.
Step 2. At the command prompt, type:
“C:Program FilesMozilla Firefoxfirefox.exe” -profilemanager
Then press Enter. (Note that the quotation marks are required and that your path may differ.)
Step 3. If you want Firefox to prompt you for a profile each time you launch it, uncheck the option Don’t ask at startup in the Firefox — Choose User Profile dialog box.
Step 4. Click Create Profile and follow the steps in the wizard to name your new profile. Repeat the steps to create a second profile. For example, you might name one profile Flash-Yes and another Flash-No. When you’re done, click Exit.
Step 5. Rather than being prompted for a profile each time you open Firefox, create separate shortcuts to launch each profile. For example, if you have a shortcut to Firefox in your QuickLaunch toolbar or on the desktop, drag the shortcut with the right mouse button pressed, drop it, and choose Create Shortcuts Here.
Step 6. Right-click one of your Firefox shortcuts and choose Properties. Click the Shortcut tab and edit the command line so it ends in with -p followed by a space and the name of one profile. For example, the entire command line might read:
“C:Program FilesMozilla Firefoxfirefox.exe” -p Flash-Yes.
Repeat these steps for a second shortcut to launch your other Firefox profile.
Step 7. You may need to download and install one of the plug-ins described above for these profiles and configure each profile’s browser differently. However, any changes you make should be saved with that profile, so they will be in effect the next time you launch it.
A complete solution to high-risk Flash files may not come any time soon. Until the creators and managers of these files can ensure a high degree of safety, users have to be extra cautious to avoid the risks of Flash-borne malware.
For more on Flash security vulnerabilities, see Windows Secrets contributing editor Mark Edwards’s Apr. 10 PC Tune-Up column.
| Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.|
Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the Here’s How section of that magazine.