Analysts: Expect More Ad Server Attacks

Security analysts said recent attacks on several high-profile European Web sites, through compromised ad servers, is a sign of more trouble to come as hackers take aim at launching viruses in unique ways.

“Instead of only defacing the Web site, they have the potential to do some serious damage,” said Vincent Gullotto, vice president of McAfee’s AVERT virus research group. “So far the infection numbers are probably into the thousands, but not at an epidemic or outbreak proportion.”

Although Gullotto said he was surprised these types of breaches didn’t happen more often, he said the trend would likely continue until the vulnerability was patched.

As reported Monday by, British tech-focused Web site The Register said some of its banner advertising, served by third-party ad serving company Falk AG, “became infected with the Bofra/IFrame exploit” thanks to a known IFRAME buffer overflow vulnerability in Internet Explorer.

Security firm Secunia, which labeled the vulnerability “extremely critical,” said it is caused by a boundary error in the handling of certain attributes in the “IFRAME,” “FRAME,” and “EMBED” HTML tags.

“This can be exploited to cause a buffer overflow via a malicious HTML document containing overly long strings in e.g. the ‘SRC’ and ‘NAME’ attributes of the IFRAME tag.”

John Pescatore, security analyst and vice president and research fellow at research firm Gartner , said unless users are running Windows XP Service Pack 2 (SP2), which is immune to the IFRAME vulnerability, they should consider running an alternate browser to IE.

“Aside from that, the best way to protect yourself is not to click on ad banners,” he said.

He also recommended operators of Web sites serving banner ads to use add-on security products that are designed to stop these types of attacks, like Prevx and McAfee’s intrusion prevention software. “Those are the primary options,” Pescatore told

Microsoft has not issued a patch for the vulnerability.

The Bethesda, Md.-based SANS Internet Storm Center has been posting warnings on its Web site since Saturday, reporting compromised sites in Britain, Sweden and the Netherlands. The center also warned operators of Web sites that serve banner ads to verify that the ads don’t contain the IFRAME exploit code.

“You might want to consider disabling banner ads for a little while to minimize the risk of accidentally infecting your users and propagating,” SANS recommended. “Since this vulnerability is easy to exploit, it is likely that malware for his issue will come in many flavors and colors.”

So far it appears North American-based sites have not been affected.

News Around the Web