How you could have protected yourself from Yahoo's recent malware ads - gHacks Tech News

How you could have protected yourself from Yahoo's recent malware ads

remove Java web browser

If you have visited yahoo.com on January 3, 2014, your computer may have been infected automatically with malware.

Whether that is really the case depends on Java, or more precisely, if Java is installed on the system, linked to the browser, and whether it is up to date or not.

If you are running an outdated version of Java, meaning not the latest version, then your computer may have been infected automatically, just by visiting the Yahoo website.

If you are running the latest version, it may have still been triggered, but this time only on user action.

Without going into too many details, here is what happened. Yahoo, like many other companies, runs advertisements on its properties. Other companies and individuals can book impressions for ad views on one of Yahoo's websites, which are then added to the rotation and displayed for as long as they have been booked.

Sometimes, ads can be malicious. This is not only a problem of Yahoo for obvious reasons, as it can also happen on other web properties. Google for instance did serve malicious ads in the past as well.

In Yahoo's case, some of the ads were iFrames hosted on third party domains. An iFrame displays the contents of another site on the site it is run on. Users were automatically redirected to another property within the iFrame, and then attacked using a Java vulnerabilty that allowed attackers to install trojans and other malware on the systems.

So how could you have protected your computer?

The most obvious answer to the question is leading to Java, and how it is handled on the system.

  1. Make sure that Java is up to date at all times. This would have protected the computer from being infected automatically.
  2. If you do not need Java, uninstall it. It is likely that only a minority really needs Java, while everyone else is fine without it.
  3. If you need Java locally, snap the link to the browser. You can only do so on Windows, and only if you run the JRE 7.x. Open your Control Panel, select Java from the list of options, switch to Security there, and disable "Enable Java content in the browser". Read this guide for a detailed walk-through.
  4. If you run Java 6.x, disable it in your browser instead.
  5. If you need Java on the web, for instance because some sites that you use demand it, activate click to play in your web browser to prevent the execution of Java on all other sites automatically. Or, and this is probably the better option, use a secondary browser profile exclusively for those sites. On top of that, use a sandboxing program for additional security.
  6. Alternatively, run a browser extension like NoScript which blocks all script contents from being loaded automatically.

In addition to these preparations, consider running anti-exploit software in addition to regular antivirus software. I'm running both Microsoft's EMET and Malwarebyte's Anti-Exploit, but one of them should do it in most cases.

Here is what would have happened if the computer would have been protected properly: nothing.

Right, there is still a chance to click on the ad, allow Java to run on the site (against better judgement) and that anti-exploit tools would not have caught the exploit, but that is a slim chance at best.

While this article is about Java, it more or less is true for other plugins that you run in your browser as well, especially Adobe Flash. My suggestion is to make all plugins click to play in your browser of choice, provided this is supported by it.

Now read: Fixing Java in Firefox

Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Rohit said on January 6, 2014 at 4:36 pm
    Reply

    I have an active yahoo email ID, please tell me weather this malware is active in yahoo.in, can I open my email ID.? By the way thanks for the tutorial I am sure it will help me in coping with the same.

  2. beachbouy said on January 6, 2014 at 4:54 pm
    Reply

    How about running the browser in a sandbox. Seems like that would be the simplest solution. Nearly every website in the universe uses Java to some extent. I think it is impractical to expect people to stop using Java. Especially novice, non-techy types who don’t even know what Java is.

    Anyone can understand running the browser in a sandbox to isolate it from the rest of the system. They just need help in finding a sandbox that will do the job, and setting up a sandboxed browser link on their desktop.

    1. Martin Brinkmann said on January 6, 2014 at 5:08 pm
      Reply

      Don’t confuse Java with JavaScript. Running in a sandbox would have helped in this case.

  3. ilev said on January 6, 2014 at 6:03 pm
    Reply

    adblock would have stopped the malware too.

  4. Ken Saunders said on January 6, 2014 at 7:27 pm
    Reply

    I have a few programs that requires Java, but they aren’t worth the risk so I just don’t have Java installed.
    It’s a pain, but I can install and uninstall Java as needed.
    It’s like Java has become the Internet Explorer of the 90’s.

  5. Ken Saunders said on January 6, 2014 at 7:28 pm
    Reply

    “Notify me of followup comments via e-mail”

    Sorry, I had to add this reply to receive updates. I had the box unchecked.

    1. Don said on January 6, 2014 at 8:25 pm
      Reply

      FYI. Just below the “Notify me of followup comments via e-mail” checkbox is “Subscribe without commenting”. Subscribing will get you the same updates.

      1. Ken Saunders said on January 6, 2014 at 8:27 pm
        Reply

        Ah, thanks

  6. Nebulus said on January 6, 2014 at 11:16 pm
    Reply

    Just two words: ads blocking.

  7. Dwight Stegall said on January 7, 2014 at 12:12 am
    Reply

    I stopped installing Java more than 10 years ago. The security risks just aren’t worth it.

  8. dblevins said on January 7, 2014 at 12:55 am
    Reply

    How ’bout stopping the display of the “social-media” (FB and the rest) buttons on your pages??

    1. Ken Saunders said on January 7, 2014 at 1:10 am
      Reply

      You can get an add-on for that.

      Martin, while it would be a lot more work for you, you could just provide copy and paste text to share.
      I’ve done it.
      Ex.
      Article title and shortened URL for Twitter.
      Article title and full URL for others (Fb etc).
      I do it because of the social services snooping stuff and that’s probably why some visitors are concerned.
      I have a select all script so the person just clicks a button then copies the text and pastes wherever.
      There are some that will highlight all and copy to the clipboard.

    2. Martin Brinkmann said on January 7, 2014 at 9:16 am
      Reply

      The social buttons are not active, they are not loaded by scripts. They are merely buttons that link to the social accounts.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.