On November 2, 2007 I had the opportunityto participate in a panel at the Federal Trade Commission on the futureof online behavioral advertising. While this topic is not one that isnormally associated with information protection issues, there are someinteresting implications that I touched upon at the panel and that Ithought I’d reiterate here.
First, let’s think about some of the overall trends related to Webadvertising. To begin with, the Web has certainly exploded inpopularity and people are spending more and more time each day surfingtheir favorite sites.
Second, online advertising has proven itself to be a viable businessmodel for many companies. Countless Web sites display ads that areviewed by an even greater number of people.
Third, along these same lines the online advertising supply chain isfairly complex. In the simplest incarnation, an advertiser might workwith an ad network who will arrange to have the ad published throughone or more content publishers. In a more complex, but still quitecommon incarnation, an ad network might work with a syndicator (and thesyndicator might work with sub-syndicators).
Fourth, advertising itself has become very rich. While text-basedadvertisements are still popular, we are definitely seeing more fancyads that use technologies like Flash. The reality is that anadvertisement is more than just ad – it's a small piece of softwarethat runs on your machine in the context of your Web browser.
And finally, browsers are becoming more complex. In addition to thecore Web browser, people often enhance their Web experience through oneor more plug-ins. For example, Flash is enabled on a Web browserthrough a plug-in.
This increase in prevalence combined with the increased complexitymakes online advertising a ripe target for attackers. Since anadvertisement is a piece of software, there is potential for thatsoftware to be malicious. One example that I blogged about previouslyinvolved a social networking site, just a little over a year ago. Oneof the advertisements they served took advantage of a well knownWindows vulnerability. Over a million people saw the advertisement.Although the vulnerability was known, and although a patch had beenissued, it’s likely that many people who viewed the ad didn’t havetheir patches up to date. In these cases, companies are otherwiseinnocent bystanders since the advertisement content itself is beingprovided by the ad network.
Along the same lines, anything one can do in a scripting languagelike JavaScript can also be done in Flash. So, in principle,Flash-based advertisements can implement the kinds of attacks possiblethrough malicious JavaScript. These include scanning internal networkhosts and drive-by pharming.
What makes attacks leveraging online advertising especially powerfulis that it is entirely possible for an otherwise trustworthy, popular,and well-meaning site to host an advertisement containing maliciouscode. While there have thus far only been a few instances of maliciousonline ads, I expect it to be a growing trend.
The unfortunate moral here is that there are no real safe locationson the Internet. That shouldn’t stop you from surfing the Web butmerely realizing that if you do so it’s important to be protected.Recognizing that these types of issues would come up, Symantec hasbuilt a number of excellent Web-browsing protections into our 2008products, which were launched recently.