June 25, 2018

Banner Ads Launch Security Attacks

An online banner advertisement that ran on MySpace.com and other sites over the past week used a Windows security flaw to infect more than a million users with spyware when people merely browsed the sites with unpatched versions of Windows …

So says Brian Krebs at the Washington Post’s Security Fix blog. The ads, he says, contained a booby-trapped image that exploited a Windows security flaw to install malicious software. (Microsoft released a patch for the flaw back in January.)

Is this MySpace’s fault? I’m not asking whether MySpace is legally liable for the attack, though I’m curious what lawyers have to say about that question. I’m asking from an ethical and practical standpoint. Recognizing that the attacker himself bears primary responsibility, does MySpace bear some responsibility too?

A naive user who saw the ad displayed on a MySpace page would assume the ad was coming from MySpace. On a technical level, MySpace would not have served out the ad image, but would instead have put into the MySpace page some code directing the user’s browser to go to somebody else’s server and get an ad image; this other server would have actually provided the ad. MySpace’s business model relies on getting paid by ad agencies to embed ads in this way.

Of course, MySpace is in the business of displaying content submitted by other people. Any MySpace user could have put a similarly booby-trapped image on his own MySpace page; this has almost certainly happened. But it’s one thing to go to Johnny’s MySpace page and be attacked by Johnny. It’s another thing to go to your friend’s MySpace page and get attacked because of something that MySpace told you to display. If we’re willing to absolve MySpace of responsibility for Johnny’s attack – and I think we should be – it doesn’t follow that we have to hold MySpace blameless for the ad attack.

Nor does the fact that MySpace (presumably) does not vet the individual ads resolve the question. Failure to take a precaution does not in itself imply that the precaution is unnecessary. MySpace could have decided to vet every ad, at some cost, but instead they presumably decided to vet the ad agencies they are working with, and rely on those agencies to vet the ads.

The online ad business is a complicated web of relationships and deals. Some agencies don’t sell ads directly but make deals to display ads sold by others; and those others may in turn make the same kinds of deals, so that ads are not placed on sites not directly but through a chain of intermediaries. The more the sale and placement of ads is automated, the less there are people in the loop to spot harmful or inappropriate ads. And the more complex and indirect the mechanisms of ad placement become, the harder it is for anyone to tell where an ad came from or how it ended up being displayed on a particular site. Ben Edelman has documented how these factors can cause ads for reputable companies to be displayed by spyware. Presumably the same kinds of factors enabled the display of these attack ads on MySpace and elsewhere.

If this is true, then these sorts of ad-based attacks will be a systemic problem unless the structure of the online ad business changes.

Comments

  1. It’s interesting to see a post about “responsibility” for a software exploit that doesn’t even mention the folks up in Redmond 🙂

    I am curious about what is actually meant by “responsible” when talking about a for-profit business if we aren’t talking about legal liability. Clearly there are many parties who could/should have been more careful, but in the end it is MySpace that is getting all the bad press and may feel a backlash. Most articles, and your blog post, don’t even mention the name of the Ad provider, and Deckoutyourdeck.com hardly has a reputation to lose. While in a legal sense the fact that the exploit came from a non-MySpace server might matter, most users likely view anything on the site as a reflection of MySpace, meaning that it is cleary good business for MySpace be “responsible” and have someone vet all ads before they are shown. I fully expect this to happen soon for most reputable sites.

  2. I think it would be more effective to make the original advertiser responsible. After all, the original advertiser chooses who they do business with, but website operators (especially small ones) can’t possibly check every ad that comes their way.

    It’s disturbing that the entire structure of the industry, using long chains of shadowy intermediaries, seems designed to create “plausible deniability” to shield advertisers from this sort of liability. Piercing this shield is the best way to force a change.

  3. bonapart says:

    If the original “advertiser” is willing to risk employing ads booby-trapped with adware and spyware, they aren’t likely to care much about responsibility.

    Does the end-user assume any risk given the notorious security vulnerabilities of Microsoft operating systems? Could MySpace require the end-user to agree to assume such risk through a user agreement or disclaimer? MySpace doesn’t require that end-users use only a Microsoft operating system or Internet Explorer, that is the end-users choice.

    Given the complexity of assigning such responsibility, perhaps a proactive end-user solution would be the simplest remedy. The 14-25 age group is a key demographic of both MySpace and Firefox – so these kids should be aware of Firefox.

    Two words; Firefox & Adblock. If MySpace has ad banners, I haven’t seen them!

  4. One more (hugely) compelling reason for browser features such as Adblock.

  5. If you follow a chain of reasoning that starts with MySpace not being responsible for adware, then they would similarly not be responsible for any other sort of inappropriate advertising. Certainly, you can imagine that “kid friendly” web sites would go out of their way to avoid “age inappropriate” advertising. Their business is on the line. In precisely the same way, this ultimately comes down to MySpace. It’s their business that’s on the line. Even if they delegate the technical details of serving the ad images, they cannot avoid the responsibility for the ads appropriateness for their audience.

    (I’ll also agree with bonapart and Phil that this sort of thing creates a great incentive to switch to something other than stock IE on Windows, but that’s a separate issue.)

  6. Even if My Space checks the ads at some time, if they are served from another server, managed by a third party, how can they be found responsible of a potentially new version of the ads. And one must remember that this third party can at will serve different versions, depending from where the request originate, for exemple benign image to MySpace employees, malware to persons in another state.
    To find them responsible, they must serve the malware themselves (Technically. Legally, it’s another story)

  7. lo,

    I disagree. The risk you describe is a consequence of MySpace deciding to let a third party serve out content to MySpace’s customers. MySpace could have insisted on serving out that content itself, or (presumably) it could have vetted the third party more carefully.

    Perhaps the cost of those precautions would be prohibitive, compared to the expected reduction in harm to users. But that’s a different argument.

  8. I can’t imagine that Myspace.com didn’t have some sort of legal verbiage in place requiring the ad agency to take responsibility for its content.

    The question is whether the ad agency is in a position to make any sort of restitution.

    I am not a Myspace user, but I’d be willing to bet that Myspace.com has no agreement with users to take responsibility for ad content it delivers to their machines.

    Call me a cynic, but somehow, I’m not expecting users to vote with their feet. Sorry to have to disagree with Dan Wendlandt. What was that business about dancing pigs?

  9. dmc,

    I agree that its quite possible that users won’t “vote with their feet”. I never meant my post as a suggestion that a virus in a banner ad would be enough to make a bunch of teens leave their online life-line for another venue (now that’s lock-in…). I was just saying that I think the general public will see this as an issue with MySpace, not as an issue with the advertiser or agency. Therefore, I feel that MySpace is “responsible” for managing whatever fallout *may* result, regardless of whether they are to blame, technically or legally speaking.

  10. One more (hugely) compelling reason for using an account with User privledges, not Administrator privledges, when surfing the internet (or doing any day to day work).

  11. JC: That’s nice. It must be lovely in your unix world where you have that luxury. But we Windoze users don’t — even newer versions, which have separate user and (privileged) administrator accounts, can’t be used that way. If you log in as a regular user, half the apps you commonly use simply won’t work. Only Windows apps designed for a multiuser system in a workplace tend to work without administrator privileges. So productivity and office type apps work. Try it with games, various random other apps not generally used on computers at work, and so on, though, and you’ll quickly find that trying to use Windows as anything but administrator is a nightmare.

  12. Neo: I’ve had mixed success trying to run Windows XP as a non-privileged user. (I don’t run a lot of games so can’t comment on that part of the experience. I do run a lot of other kinds of applications, both standard productivity/office and development.) After hashing out a problem with burning CDs, I did pretty well for a while with running as a non-administrator, but then I think the combination of Windows updates and newer applications would start causing me random grief with CD burning and things like TrueCrypt which uses a virtual device driver.

    So I think it’s doable if you have some time and patience, although personally I ran out of both and have gone back to being an admin. (Until hopefully I can get to that lovely unix world you spoke of 🙂

  13. I do hold MySpace responsible, at least for THIS occurrence! I have a MySpace account, and noticed problems with this very “DeckOutYourDeck.com” banner at least two months ago. I am usually logged in as a non-Admin user on my computer, which may have prevented this problem for a while… but I happened to find this message board because it actually DID get me while I was using the Admin!

    The banner’s behavior before was to generate two pop-up pages which could not be closed outside of using CTRL/ALT/DEL, which then would close my original MySpace page, and I’d have to re-navigate back to where I was. It would also create a box which said, “You must click YES to continue!” which would not go away… and it actually offered no “YES” option, but rather an “OKAY” button. I was able to use ALT-TAB to get back to the MySpace page I was looking at, and after this happened a few times, I saw the “Deck” banner ad. I got its properties and reported the problem to MySpace… several times! I told them this particular ad was causing malicious behavior and asked them quite plainly to remove it from their system. Again, this was at least two months ago… so YES, I do consider them responsible. They have a very poor way of handling consumer complaints and queries… which is to say, they simply don’t appear to handle them at all. I’ve noticed this on less-volatile issues as well. Once, after I tried sending the same message worded various ways about some other problem, they finally DID send a reply… it was information about how to close my MySpace account!

    The lovely thing about this now being reported by so many knowledgeable computer sites is… none of them seem to have been so kind as to suggest an actual fix for the problem. They only mention how users need to be careful, and note the Microsoft update from January which was meant to prevent the vulnerability… like closing the door after the cows ran away, y’know. Even the iDefense site which is credited with finally “discovering” the problem has no mention of it at all on their own site. So how do I get rid of the Purity adware my computer now proudly possesses?

  14. Steve R. says:

    MJB provided an excellent summary “It’s disturbing that the entire structure of the industry, using long chains of shadowy intermediaries, seems designed to create “plausible deniability” to shield advertisers from this sort of liability. Piercing this shield is the best way to force a change.

    What always continues to bother me is that the only solution people seem to talk about is for the user to “defend” himself. Since this is a technological problem, the Windows operating system (inpart), it would be difficult for the user to really defend himself. Also I am “tired” of having to buy third party software to “solve” these problems.

    A free society depends on mutual respect. If one party feels they can trash your computer to make a profit, I don’t believe that should be entitled to continue. What does this mean? M$ should fix its OS, MySpace must take responsiblity for monitoring how its “real estate” is used, and those who develop malicious code should be prosecuted. Since there is a money trail, they can be found, if there is a will.

  15. Anonymous says:

    Myspace is an abomination.

    Period.

  16. Anon: I agree. With Rupert at the helm, it’s going to sink as low as Faux News.

    MySpace has Big-Brotherish tones which are too much to ignore. I see MySpace — the other evil MS — as nothing better than a clever data mining, spying, and advertising tool.

    Chatrooms and BBSes are nothing new, so why has MySpace won the hearts of so many people and businesses? Advertising.

    I’ve had to disinfect many people’s computers for them because their kids visted MySpace. These are the parent’s computers, with potentially sensitive information like tax returns stored on them. I tell these parents to not allow their kids to connect to the internet with them, and to buy another computer for their kids to use.

  17. Although you said you wanted to avoid the legal aspect of this, I’d like to point out that our legal system has a remarkably expensive way of dealing with such issues. It may be possible for MySpace to be sued for the damage done by the banner ad. MySpace in turn can sue the provider that posted the ad, for their damages. That provider surely has a contract with people who create its ads that allow it to sue them for the same damages.

    The legal system thus moves the damage around as far as possible until, one hopes, it reaches the guilty party. At each step, the lawyers for both sides take a serious cut.
    – Precision Blogger

  18. Check+out+my+new+site%3A%29