How you could have protected yourself from Yahoo's recent malware ads

Martin Brinkmann
Jan 6, 2014
Updated • Jan 6, 2014

If you have visited on January 3, 2014, your computer may have been infected automatically with malware.

Whether that is really the case depends on Java, or more precisely, if Java is installed on the system, linked to the browser, and whether it is up to date or not.

If you are running an outdated version of Java, meaning not the latest version, then your computer may have been infected automatically, just by visiting the Yahoo website.

If you are running the latest version, it may have still been triggered, but this time only on user action.

Without going into too many details, here is what happened. Yahoo, like many other companies, runs advertisements on its properties. Other companies and individuals can book impressions for ad views on one of Yahoo's websites, which are then added to the rotation and displayed for as long as they have been booked.

Sometimes, ads can be malicious. This is not only a problem of Yahoo for obvious reasons, as it can also happen on other web properties. Google for instance did serve malicious ads in the past as well.

In Yahoo's case, some of the ads were iFrames hosted on third party domains. An iFrame displays the contents of another site on the site it is run on. Users were automatically redirected to another property within the iFrame, and then attacked using a Java vulnerabilty that allowed attackers to install trojans and other malware on the systems.

So how could you have protected your computer?

The most obvious answer to the question is leading to Java, and how it is handled on the system.

  1. Make sure that Java is up to date at all times. This would have protected the computer from being infected automatically.
  2. If you do not need Java, uninstall it. It is likely that only a minority really needs Java, while everyone else is fine without it.
  3. If you need Java locally, snap the link to the browser. You can only do so on Windows, and only if you run the JRE 7.x. Open your Control Panel, select Java from the list of options, switch to Security there, and disable "Enable Java content in the browser". Read this guide for a detailed walk-through.
  4. If you run Java 6.x, disable it in your browser instead.
  5. If you need Java on the web, for instance because some sites that you use demand it, activate click to play in your web browser to prevent the execution of Java on all other sites automatically. Or, and this is probably the better option, use a secondary browser profile exclusively for those sites. On top of that, use a sandboxing program for additional security.
  6. Alternatively, run a browser extension like NoScript which blocks all script contents from being loaded automatically.

In addition to these preparations, consider running anti-exploit software in addition to regular antivirus software. I'm running both Microsoft's EMET and Malwarebyte's Anti-Exploit, but one of them should do it in most cases.

Here is what would have happened if the computer would have been protected properly: nothing.

Right, there is still a chance to click on the ad, allow Java to run on the site (against better judgement) and that anti-exploit tools would not have caught the exploit, but that is a slim chance at best.

While this article is about Java, it more or less is true for other plugins that you run in your browser as well, especially Adobe Flash. My suggestion is to make all plugins click to play in your browser of choice, provided this is supported by it.

Now read: Fixing Java in Firefox


Previous Post: «
Next Post: «


  1. dblevins said on January 7, 2014 at 12:55 am

    How ’bout stopping the display of the “social-media” (FB and the rest) buttons on your pages??

    1. Martin Brinkmann said on January 7, 2014 at 9:16 am

      The social buttons are not active, they are not loaded by scripts. They are merely buttons that link to the social accounts.

    2. Ken Saunders said on January 7, 2014 at 1:10 am

      You can get an add-on for that.

      Martin, while it would be a lot more work for you, you could just provide copy and paste text to share.
      I’ve done it.
      Article title and shortened URL for Twitter.
      Article title and full URL for others (Fb etc).
      I do it because of the social services snooping stuff and that’s probably why some visitors are concerned.
      I have a select all script so the person just clicks a button then copies the text and pastes wherever.
      There are some that will highlight all and copy to the clipboard.

  2. Dwight Stegall said on January 7, 2014 at 12:12 am

    I stopped installing Java more than 10 years ago. The security risks just aren’t worth it.

  3. Nebulus said on January 6, 2014 at 11:16 pm

    Just two words: ads blocking.

  4. Ken Saunders said on January 6, 2014 at 7:28 pm

    “Notify me of followup comments via e-mail”

    Sorry, I had to add this reply to receive updates. I had the box unchecked.

    1. Don said on January 6, 2014 at 8:25 pm

      FYI. Just below the “Notify me of followup comments via e-mail” checkbox is “Subscribe without commenting”. Subscribing will get you the same updates.

      1. Ken Saunders said on January 6, 2014 at 8:27 pm

        Ah, thanks

  5. Ken Saunders said on January 6, 2014 at 7:27 pm

    I have a few programs that requires Java, but they aren’t worth the risk so I just don’t have Java installed.
    It’s a pain, but I can install and uninstall Java as needed.
    It’s like Java has become the Internet Explorer of the 90’s.

  6. ilev said on January 6, 2014 at 6:03 pm

    adblock would have stopped the malware too.

  7. beachbouy said on January 6, 2014 at 4:54 pm

    How about running the browser in a sandbox. Seems like that would be the simplest solution. Nearly every website in the universe uses Java to some extent. I think it is impractical to expect people to stop using Java. Especially novice, non-techy types who don’t even know what Java is.

    Anyone can understand running the browser in a sandbox to isolate it from the rest of the system. They just need help in finding a sandbox that will do the job, and setting up a sandboxed browser link on their desktop.

    1. Martin Brinkmann said on January 6, 2014 at 5:08 pm

      Don’t confuse Java with JavaScript. Running in a sandbox would have helped in this case.

  8. Rohit said on January 6, 2014 at 4:36 pm

    I have an active yahoo email ID, please tell me weather this malware is active in, can I open my email ID.? By the way thanks for the tutorial I am sure it will help me in coping with the same.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.