This reminds me of when I was working for a creative agency and we designed a handful of HTML5 banner ads and I built a small page to showcase all the ads but it never worked.
A day later the lightbuld clicked on and I realized my ad-blocker was blocking our own ads.
This shark came pre-jumped when there was nobody with both the incentive and the ability to stop malicious code being transmitted through advertising channels.
Ad networks have negative incentive to stop malware. Their incentive structure runs in the opposite direction entirely: They have to accept ads as quickly and as broadly as possible, and get them out to the world as quickly as possible. That’s their whole business model. Vetting anything is a cost center, and a big one, given how many ads they have to deal with and how easy it is to hide malware in ways which defeat automatic checks. From what I’ve heard (and not heard), however, they don’t even run automated checks.
People who put ads on their pages have incentive but no ability. Once the ad code is in place, that portion of their page is ceded to the advertiser, and their brand’s goodwill along with it.
So it comes down to the people who deal with the malware. And they’re using their power to block ads. And it is shocking, utterly shocking that the people who are affected by something are taking steps to mitigate it.
Kids these days, I tell ya: Give them malware, and they think it’s something they can take steps to prevent! Entitled brats…
So, they have to analyze current data in real time to try to throw out a relevant ad with requests coming in at thousands a second at least. That’ no time to do a security assessment. Additionally, if pre-screening ads into a database, it would take a lot of both computer analysis and human review on a per ad basis. I imagine the rates are too low for that to be economical. Then, I speculate it gets worse with the large number of VC-funded newcomers that don’t care about security able to make better offers than the company accepting overheads to protect ad viewers. Ad viewers that aren’t paying or supporting them in any way but would be a cost center if protecting them.
Ad networks could just allow an advertiser to upload an image, description and URL. That’s it. No custom javascript that may or may not attempt to open new windows, browse to a new URL, inspect the contents of the page, play videos/audio, etc. Ad blockers are relatively common among tech people for a reason.
This is not well argued. I tripped over the claim that all four “big problems” are enabled by the unlimited powerful Javascript VM, while that point is hardly relevant to anything but “cryptojacking”. Also I’m missing any “jump the shark” moment. The article does summarize the rotten state of advertising nicely though.
The malvertising problem also largely comes from having an unlimited powerful VM (doesn’t have to be JavaScript, ActionScript and Java were historically just as bad *). Having a VM available makes exploiting browser bugs to get drive-by software installation far easier.
The APIs provided to that VM represent a colossal attack surface.
Programs running on the VM can do stuff like making and freeing big allocations in specific patterns to massage the heap layout, or run timing attacks to discern the address of some data or code in the browser process.
The VM itself has bugs. It does a lot and the optimisations are really complicated and hard to get right. You see CVEs sometimes like “a buggy optimisation caused an ArrayBuffer and a function pointer to occupy the same space, which can be escalated into remote code execution”.
There are still bugs sometimes in things like parsers for complex formats like videos which are exploitable without making use of the VM, but fewer of them. It’s harder to write exploits without the VM anyway because your most powerful tool for setting up the process internals the way your exploit code wants them is gone.
Browsers are WAY harder to RCE with no JavaScript.
(* if not worse, but I suspect mainly because the implementations were really bad rather than because those PLs are fundamentally worse than JavaScript in some way.)
Every time I use a browser without adblock I’m shocked to see what websites actually look like by default.
This reminds me of when I was working for a creative agency and we designed a handful of HTML5 banner ads and I built a small page to showcase all the ads but it never worked.
A day later the lightbuld clicked on and I realized my ad-blocker was blocking our own ads.
This shark came pre-jumped when there was nobody with both the incentive and the ability to stop malicious code being transmitted through advertising channels.
Ad networks have negative incentive to stop malware. Their incentive structure runs in the opposite direction entirely: They have to accept ads as quickly and as broadly as possible, and get them out to the world as quickly as possible. That’s their whole business model. Vetting anything is a cost center, and a big one, given how many ads they have to deal with and how easy it is to hide malware in ways which defeat automatic checks. From what I’ve heard (and not heard), however, they don’t even run automated checks.
People who put ads on their pages have incentive but no ability. Once the ad code is in place, that portion of their page is ceded to the advertiser, and their brand’s goodwill along with it.
So it comes down to the people who deal with the malware. And they’re using their power to block ads. And it is shocking, utterly shocking that the people who are affected by something are taking steps to mitigate it.
Kids these days, I tell ya: Give them malware, and they think it’s something they can take steps to prevent! Entitled brats…
To support that, here’s a Quora answer describing their requirements:
https://www.quora.com/What-is-the-technology-stack-of-ad-networks
So, they have to analyze current data in real time to try to throw out a relevant ad with requests coming in at thousands a second at least. That’ no time to do a security assessment. Additionally, if pre-screening ads into a database, it would take a lot of both computer analysis and human review on a per ad basis. I imagine the rates are too low for that to be economical. Then, I speculate it gets worse with the large number of VC-funded newcomers that don’t care about security able to make better offers than the company accepting overheads to protect ad viewers. Ad viewers that aren’t paying or supporting them in any way but would be a cost center if protecting them.
Ad networks could just allow an advertiser to upload an image, description and URL. That’s it. No custom javascript that may or may not attempt to open new windows, browse to a new URL, inspect the contents of the page, play videos/audio, etc. Ad blockers are relatively common among tech people for a reason.
This is not well argued. I tripped over the claim that all four “big problems” are enabled by the unlimited powerful Javascript VM, while that point is hardly relevant to anything but “cryptojacking”. Also I’m missing any “jump the shark” moment. The article does summarize the rotten state of advertising nicely though.
The malvertising problem also largely comes from having an unlimited powerful VM (doesn’t have to be JavaScript, ActionScript and Java were historically just as bad *). Having a VM available makes exploiting browser bugs to get drive-by software installation far easier.
There are still bugs sometimes in things like parsers for complex formats like videos which are exploitable without making use of the VM, but fewer of them. It’s harder to write exploits without the VM anyway because your most powerful tool for setting up the process internals the way your exploit code wants them is gone.
Browsers are WAY harder to RCE with no JavaScript.
(* if not worse, but I suspect mainly because the implementations were really bad rather than because those PLs are fundamentally worse than JavaScript in some way.)