E-Week has an article about the popular computer hardware review site Tom’s Hardware (tomshardware.com) being hit by a trojan in a banner advert.
From the article it’s not clear whether a criminal paid for a banner advert under a legitimate business name or compromised the advertising server run by an innocent third-party who paid for advertising on Tom’s Hardware.
But really it doesn’t matter very much for users. The facts that are clear are that Tom’s Hardware is a very reputable site (that I personally visit regularly and recommend highly) that apparently did nothing wrong. Yet Windows users who visited the site who hadn’t applied the latest patches had their systems compromised (and presumably used for other criminal activity). Apparently a month ago there was a patch released for the bug in question.
One thing that has to be noted is that large corporations often don’t apply patches immediately. Spending a month testing a patch before deploying it widely is not uncommon in an enterprise environment. The general thinking in an enterprise is that the employees are almost always prohibited from visiting porn sites, and often prohibited from using forums, and webmail services. With these things prohibited the risk of attack is dramatically reduced. Now there is evidence that even the most reputable sites run by the competent sys-admins can be vulnerable to such attack.
One possible method of alleviating such attacks would be to have sites that are supported by advertising also allow ad-free subscriptions. So if an enterprise wanted to use a site such as Tom’s Hardware without the risk of advert based attack then they could pay for an advert free subscription. I’m sure that it would be easy for an enterprise to pay Tom’s hardware more money than they would ever be likely to get from providing advertising to the employees of that company while still not having any impact on the IT training budget.
But the best solution is that a Windows machine that is used for main desktop work should not be used for web browsing (to any sites). A Linux or Mac OS/X desktop machine could be used for such web browsing with less risk due to having less security holes in the OS. Another option is to use VMWare, Xen, or another virtualisation technology to use a virtual machine for web browsing to make it a lot harder for an attacker to break out and compromise the main environment.
Ideally clients would be using Webconverger, which is very secure.
. …Now there is evidence that even the most reputable sites run by the competent sys-admins can be vulnerable to such attack.
Microsoft UK already did the delivering malware containing adverts in the site they put as the default home page in some UK versions of IE. Don’t click on the blue E!
LiveJournal have already done this one as well.
Indeed it is a safe bet if a few advertising providers have let such things through, a LOT of sites have shown that content.
See also;
http://isc.sans.org/diary.html?storyid=2166