« CTO significance | Main | Surfing evolutionary curves »
February 7, 2008
Banner redirects
Banner redirects: Google News has a link to a scary headline, "Flash Ads Serving Up Malware on Popular Sites". This article references a blogpost at the Microsoft MVP site titled "INTERNET EXPLORER IS NOT TO BLAME FOR THE FLASH ADVERTISEMENT PROBLEM !!" This blogpost in turn references another blogpost... I think the core issue is that some ad network served SWF ads which redirected the page to a scammer domain. The writer thinks the solution is in Internet Explorer's "trusted domains" scheme, but I think that conclusion is offbase... the "trusted domains" hack was to cover the architectural error of invoking system-level ActiveX Controls from the webpages of strangers, and in this case you're actually dealing with *multiple* domains (the visited page, the ad network, the destination scammer site)... I don't think the raw consumer public should have to dope out all those redirections. I believe the core problem is actually larger: the execution of instructions from strangers -- the mashup culture -- this is the real issue here. The site owner accepted content from an ad network which did not fully vet its content providers. A SWF can redirect without a click, as can an IFRAME, an analytics script, or any other bit of third-party JavaScript. We need to trust the content we're integrating into our own webpages. This decision is properly decentralized to site owners, who choose ad networks which exercise appropriate discretion over the advertisers they accept. I apologize in advance if I misunderstood the core issue -- the original text is lengthy, white-on-black, and with long linebreaks which don't display well on my monitor -- but headlines like "Flash Serving Malware!" concern me, and we need to get to the real root of the issue.
Update: [Mon Feb 11 8pm PST] It's funny, I've got some internal email which confirms that Adobe Flash Player is not actually involved in passing any request to the browser here, and that it's actually a JavaScript error at cause. But I can't directly quote it, because the company whose JavaScript contains the exploit and whose researchers did this part of the investigation on the issue are the ones who need to break the news... I can't do it third-hand on a "sources say" basis. The perverse thing is that Flash seems to be taking it on the chin here, leading to damaging perception issues, when it's actually not directly involved in the problem. I know the news exists, but cannot quote the news, much less succinctly prove it. Frustrating.... ~:/
Posted by JohnDowdell at February 7, 2008 10:01 AM
Use of this website signifies your agreement to the Terms of Use and Online Privacy Policy (updated 07-14-2009).