Major online ad site hacked, serving up exploit cocktail

Source: Zdnet.com

A high-profile online advertising Web site has been hacked and rigged to serve multiple exploits to Microsoft Windows users surfing the net with unpatched third party desktop software.

According to a warning issued by Websense Security Labs, the malicious code was found on media-servers.net, which is described as a high-profile advertiser on the Internet realm. The site has been firing an assortment of exploits for several months, including exploits for vulnerabilities in Microsoft DirectShow and Adobe PDF Reader.

Here’s a list of the exploits associated with this attack:

* Microsoft DirectShow (CVE-2008-0015)
* Microsoft Snapshot Viewer (CVE-2008-2463)
* Microsoft Data Access Components (MDAC) CVE-2006-0003
* AOL ConvertFile() remote buffer overflow exploit

Websense said the rigged site also comes with an auto-loading malicious PDF file that attempts to exploit these vulnerabilities:

* Adobe Reader and Acrobat 8.1.1 buffer overflow (CVE-2007-5659)
* Adobe Acrobat and Reader 8.1.2 buffer overflow (CVE-2008-2992)

If the user’s browser is successfully exploited, Websense says a malicious file is downloaded and run in the user’s Windows home directory from another collaborated exploit site.

The company’s blog has screenshots of the attack site.

Read more: http://blogs.zdnet.com/security/?p=4885&tag=content;col1

These maliciously coded ads get sent out to a lot of legitimate sites that subscribe to ad syndicators and exploit an unpatched system's vulnerability to install all kinds of rogue crap. It's not too hard to clean up, but sometimes you'll get a rootkit. The most popular exploit seems to be an infected PDF within an iframe which can use Adobe Reader below version 9 to infect a machine regardless of browser.

And because I was at work I couldn't do anything but write an email to IT and hope they fixed it before it hijacked outlook or worse. It had already started putting porn links on my desktop and wouldn't let me run spybot.

People who go for years without patching/updating, well, it's hard for me to have much sympathy.

but the haters will pile on, nonetheless.

But then I was in the business of fixing computers for a while, and it kinda toned that down a bit for me. Most of the people that get damaged by stuff like this are older people that don't know a whole heckuva lot about computers because they didn't grow up with them.
Companies that have unpatched machines get no sympathy from me, but people that just aren't terribly computer literate do.

I was once on a team where our job was to find network detection solutions (with resulting threat mitigation) on CVE's within 24 hours of their public release... we used to also work off of frsirt (now vupen) tickets, because they were often a few days ahead of the US.

Fun work, but somewhat stressful, as you can probably imagine who the client list was, and how important security was to them. :D

A week I can see. A month, maybe. But a year? Even with patch Tuesday?

Are these mostly folks running bootleg windows copies, so they can't update? Dial-up folks who don't want to sacrifice bandwidth?

Rural Alabama. I'd say broadband in the surrounding 100 miles covers about 30% or so of it.
First time they see something like "Your Windows Update will complete in 82 days." is the last time they update anything. ;)

Now I have to run it w/ the automatically view message feature disabled, even though my ISP uses an effective spam-blocker (I get no visible spam, ever), and my security suite checks incoming email. If I leave OE open while I'm using the Internet, sooner or later something runs that scrambles the keyboard when I try to type something. Hasn't happened since I both blocked the automatic view and stopped leaving OE open while I'm online. This happened though I upgraded to Adobe 9 shortly after it became available, as well as have Windows on automatic update.

Let's put the blame for the issue in the OP where it belongs, which is not on the users. Why is a very profitable online ad business not made secure enough to exclude malware like the other big ad providers do? They deserve to lose their business over this.

OE was written based on a bunch of libraries with truck-sized holes in them.

Typical bug: Look at the wrong image in your emails = get infected.

Taking the blame away from the users, why is a simple mail client... (something that's been around since the 60's....) letting users get infected?

Sure, those who get infected by a Typhoid Mary can point blame at Mary, but the blame also belongs with software that has no effective handling of disease, no immune system, and goes out of it's way to *create* new ways of being infected.