How you could have protected yourself from Yahoo's recent malware ads
If you have visited yahoo.com on January 3, 2014, your computer may have been infected automatically with malware.
Whether that is really the case depends on Java, or more precisely, if Java is installed on the system, linked to the browser, and whether it is up to date or not.
If you are running an outdated version of Java, meaning not the latest version, then your computer may have been infected automatically, just by visiting the Yahoo website.
If you are running the latest version, it may have still been triggered, but this time only on user action.
Without going into too many details, here is what happened. Yahoo, like many other companies, runs advertisements on its properties. Other companies and individuals can book impressions for ad views on one of Yahoo's websites, which are then added to the rotation and displayed for as long as they have been booked.
Sometimes, ads can be malicious. This is not only a problem of Yahoo for obvious reasons, as it can also happen on other web properties. Google for instance did serve malicious ads in the past as well.
In Yahoo's case, some of the ads were iFrames hosted on third party domains. An iFrame displays the contents of another site on the site it is run on. Users were automatically redirected to another property within the iFrame, and then attacked using a Java vulnerabilty that allowed attackers to install trojans and other malware on the systems.
So how could you have protected your computer?
The most obvious answer to the question is leading to Java, and how it is handled on the system.
- Make sure that Java is up to date at all times. This would have protected the computer from being infected automatically.
- If you do not need Java, uninstall it. It is likely that only a minority really needs Java, while everyone else is fine without it.
- If you need Java locally, snap the link to the browser. You can only do so on Windows, and only if you run the JRE 7.x. Open your Control Panel, select Java from the list of options, switch to Security there, and disable "Enable Java content in the browser". Read this guide for a detailed walk-through.
- If you run Java 6.x, disable it in your browser instead.
- If you need Java on the web, for instance because some sites that you use demand it, activate click to play in your web browser to prevent the execution of Java on all other sites automatically. Or, and this is probably the better option, use a secondary browser profile exclusively for those sites. On top of that, use a sandboxing program for additional security.
- Alternatively, run a browser extension like NoScript which blocks all script contents from being loaded automatically.
In addition to these preparations, consider running anti-exploit software in addition to regular antivirus software. I'm running both Microsoft's EMET and Malwarebyte's Anti-Exploit, but one of them should do it in most cases.
Here is what would have happened if the computer would have been protected properly: nothing.
Right, there is still a chance to click on the ad, allow Java to run on the site (against better judgement) and that anti-exploit tools would not have caught the exploit, but that is a slim chance at best.
While this article is about Java, it more or less is true for other plugins that you run in your browser as well, especially Adobe Flash. My suggestion is to make all plugins click to play in your browser of choice, provided this is supported by it.
Now read: Fixing Java in FirefoxAdvertisement