Yahoo Users Hacked Through Unpatched Flash Vulnerabilities

Researchers at Malwarebytes, an anti-malware software vendor, uncovered a large scale attack against Yahoo users through Yahoo's own advertising network. Malwarebytes notified Yahoo about it and the "malvertising" campaign is no longer in progress.

The attack was possible due to Flash vulnerabilities in unpatched versions of Flash, perhaps even the same vulnerabilities that got Mozilla to block Flash by default in its browser for a few days until Adobe released the patch. Not all Flash users have updated to the latest version, though, which means they are still vulnerable to these highly dangerous security holes.

Yahoo owns large Web properties with an estimated 6.9 billion visits per month in total, according to data from SimilarWeb, which means even if a small percentage of those visits resulted in malware installation on the users' PCs, it could still affect millions of people.

Malvertising is particularly dangerous because it requires no action from the user, and it can download and install itself automatically on the user's PC (assuming the user is on a Standard account and not an Administrator one, and the User Account Control protection is weak enough to be bypassed, or the malware uses local privilege escalation zero-days).

The malware can also install "ransomware" on users' PCs and lock their files until the users pay the criminals.

Kowsik Guruswamy, CTO for Menlo Security, has a few pointers for how to protect yourself against this type of malware.

Disable Flash on your endpoints. This can be like cutting off your fingers to avoid getting splinters, but if the splinters are bad enough, maybe it's what you need to do.Isolate your Web traffic so that malicious content never reaches your endpoint. The Menlo Security Isolation Platform does that. Continue browsing the Web with Flash enabled and hope you dodge the inevitable bullet.He also added that, "The inconvenient truth about the Web is that it's dangerous and it's not the kind of place you should go without effective protection. There's no way to stop cyber criminals from attacking, and there's no way to detect and stop all of their attacks. The only way to be safe is to execute *all* Web content away from your endpoint so it can't do harm even if it's malicious. That's what isolation security is all about, and it seems pretty clear that its time has come."

Yahoo users could also use a browser that sandboxes and patches Flash automatically, such as Chrome.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • junkeymonkey
    I don't know how much it helps me ,but flash is one of the first things I remove / uninstall/ deleat from my os's . now a days html5 seems to have me covered , and if not I guess I did not need to see it anyway...

    of course if they hack html5 now I see that can be a big issue
    Reply
  • thundervore
    And yet another reason to use ad blocking software :)
    Reply
  • junkeymonkey
    ya , but flash is used in more then just ad's . remove flash and problem solved all around
    Reply
  • ralanahm
    I am not sure what is meant by "(assuming the user is on a Standard account and not an Administrator one" I thought standard was safer. Is this a special malware or was the wording reversed?
    Reply
  • dotaloc
    I am not sure what is meant by "(assuming the user is on a Standard account and not an Administrator one" I thought standard was safer. Is this a special malware or was the wording reversed?

    Read the whole paragraph. The logic is correct, but I had to read it a couple of times...so it probably could have been written more clearly.
    Reply
  • targetdrone
    When is Google and Mozilla going to kill flash once and for all?
    Just publish an end of support date. After that day Flash will no longer work in Chrome or Firefox.

    It's not like people are going to go back to IE.
    Reply
  • 2Be_or_Not2Be
    Hey, where is that contributing writer who said "ad block is stealing"???? Surely he should be spin some kind of statement on how the malware that came from Yahoo's ad network is actually a good thing and surely isn't a reason to install an ad-blocker.

    http://www.tomsguide.com/us/ad-blocking-is-stealing,news-20962.html

    Reply
  • virtualban
    How malvertising manages to get through?
    Aren't 'they' trying to put https by default everywhere, so every one on the web is identified with a real person outside, and advertisers have a way to get infected but no consequences to any real person for the vulnerabilities or intentionalities?
    Reply