You got served

Yahoo ad network compromised, distributes Java exploit

Lucy Carey

Oracle security woes alive and well in 2014, with potentially thousands infected by Java malware-spreading hack.

It may be a brand new year – but exasperatingly, Oracle is making the headlines for exactly the same reason it did for most of 2013. Last Friday, it emerged that, thanks to an exploit in’s advertising network (, thousands of visitors had been served up Java-based malware.

At present, it’s it’s not yet clear if these pesky ads were built to bypass in-house filtering systems to feed out the malware, or if Yahoo’s servers and systems themselves were directly breached.

Either way, it’s yet more negative press for Oracle. After a 2013 where, to certain parties at least, the word ‘Java’ became synonymous with ‘huge gaping security vortex of doom’, this is an inauspicious start to 2014 to say the least.

Java’s reputation has received a series of sledgehammer blows over the past 12 months, from the zero-day Java applet vulnerability, which was spotted in the wild last January, to unprecedented native layer exploits coming to light in September.

Even with 51 patches pushed out in Oracle in October, many lost faith in Java. Although Mozilla’s move to auto-block Java in its Firefox browser was a source of annoyance to many, others were quick to back the move.

Regarding this latest debacle, Fox-IT wrote on their blog that it estimates that, between December 30 and January 3, malicious materials were delivered to around 300,000 visitors per hour. About nine percent of these visitors are thought to have been infected by this hack.

The attack appears to have been largely confined to European PCs, with users in North America, Asia Pacific and Latin America said to be unaffected. Yahoo has stated that Mac and mobile devices seem to have emerged unscathed – although this probably comes of scant comfort to the thousands of potentially compromised users.

These malicious ads were intermingled with legitimate material, and, when served by Yahoo, sent users a kit targeting vulnerabilities in Java and installing a host of different malware.

Although the Netherlands-based company has yet to deduce the culprit, the firm believes that the attack was financially motivated, with control of victim’s computers being handed over to third party customers.

Each time a new exploit comes to light, security analysts and critics of the platform are swift to recommend blocking Java outright in the browser wherever possible. A writer for the Washington Post last Friday went as far as to scathingly suggest that Java’s popularity is plummeting amongst “legitimate” Web Developers, in tandem with its rise in popularity as “a juicy target for hackers”.

With the launch of Java 8 (maybe, hopefully) taking place this spring, Oracle will be eager to channel all the focus towards its new offering. But, with every new PR nightmare, the prospects of effectively rehabilitating the image of the platform as a secure and viable option to frustrated devs is becoming increasingly slight.

Image by Yahoo! Product Support Engineer Manjeet Singh

Inline Feedbacks
View all comments