Yet Another Flash Vulnerability Unearthed, Targets Yahoo Users With Malvertising

Adobe's Flash platform is running out of friends. You may recall that a few weeks ago Mozilla disabled Flash by default in its Firefox browser due to the discovery of multiple critical vulnerabilities, and around the same time, Facebook's chief security officer urged Adobe to set a kill date for its buggy API. Expect more of those sentiments following a recent week long attack on Yahoo's ad network.

Security outfit Malwarebytes discovered the "malvertising" campaign, which kicked off on July 28. It involved hackers purchasing ads across Yahoo's various sites and then injecting them with malicious code. The malware would then seek out vulnerable versions of Flash to deliver payloads and ultimately take control of a PC.

Yahoo Building

"Malvertising is a silent killer because malicious ads do not require any type of user interaction in order to execute their payload. The mere fact of browsing to a website that has adverts (and most sites, if not all, do) is enough to start the infection chain," Malwarebytes said.

To Yahoo's credit, it took immediate action once it was aware of the incident. However, the week long attack may have infected millions of visitors -- Yahoo receives 6.9 billion visits per month, including over 300 million to its news site, 112.5 million to its sports section, and over 43 million to its games portal.

Those who clicked on a malicious ad were redirected to other sites before eventually being infected with the Angle Exploit Kit, a nasty tool that downloads malware onto a victim's PC in the background. Malwarebytes didn't take a look at the payload, but said that Angler is a popular delivery method for ransomware, which encrypts a user's hard drive and demands payment to unlock it.