You got served

Yahoo ad network compromised, distributes Java exploit

Lucy Carey
Yahoo-eye1

Oracle security woes alive and well in 2014, with potentially thousands infected by Java malware-spreading hack.

It may be a brand new year – but exasperatingly, Oracle is
making the headlines for exactly the same reason it did
for most of 2013. Last Friday, it emerged that, thanks to an
exploit in Yahoo.com’s advertising network (ads.yahoo.com),
thousands of visitors had been served up Java-based malware.

At present, it’s
it’s not yet clear
if these pesky ads were
built to bypass in-house filtering systems to feed out the malware,
or if Yahoo’s servers and systems themselves were directly
breached.

Either way, it’s yet more negative press for Oracle. After a
2013 where, to certain parties at least, the word ‘Java’ became
synonymous with ‘huge gaping security vortex of doom’, this is an
inauspicious start to 2014 to say the least.

Java’s reputation has received a series of sledgehammer blows
over the past 12 months, from the
zero-day Java applet vulnerability
, which
was spotted in the wild last January, to unprecedented
native layer exploits
coming to light in
September.

Even with
51 patches
pushed out in Oracle in October,
many lost faith in Java. Although Mozilla’s move to
auto-block Java in its Firefox browser
was
a source of annoyance to many, others were quick to back the
move.

Regarding this latest debacle, Fox-IT wrote on their
blog
that it estimates that, between
December 30 and January 3, malicious materials were delivered to
around 300,000 visitors per hour. About nine percent of these
visitors are thought to have been infected by this hack.

The attack appears to have been largely confined to European
PCs, with users in North America, Asia Pacific and Latin America
said to be unaffected. Yahoo has stated that Mac and mobile devices
seem to have emerged unscathed – although this probably comes of
scant comfort to the thousands of potentially compromised
users.

These malicious ads were intermingled with legitimate material,
and, when served by Yahoo, sent users a kit targeting
vulnerabilities in Java and installing a host of different
malware.

Although the Netherlands-based company has yet to deduce the
culprit, the firm believes that the attack was financially
motivated, with control of victim’s computers being handed over to
third party customers.

Each time a new exploit comes to light, security analysts and
critics of the platform are swift to recommend blocking Java
outright in the browser wherever possible. A writer for the
Washington Post last Friday went as far as to scathingly suggest
that Java’s popularity is plummeting amongst
“legitimate” Web Developers
, in tandem with
its rise in popularity as “a juicy target for hackers”.

With the launch of Java 8 (maybe, hopefully) taking place this
spring, Oracle will be eager to channel all the focus towards its
new offering. But, with every new PR nightmare, the prospects of
effectively rehabilitating the image of the platform as a secure
and viable option to frustrated devs is becoming increasingly
slight.

Image by Yahoo! Product Support Engineer Manjeet Singh

Author
Comments
comments powered by Disqus