Roger Thompson, chief technical officer of Exploit Prevention Labs, revealed the exploit in a blog posting. He noted that he "was reading a friend's FaceBook blog when Internet Explorer displayed a message noting that a webpage was trying to start RDS (Remote Data Services) services, and would I allow it.
"I clicked 'No,' then thought, 'Hang on . . . it shouldn't have been starting RDS!' So I started a goat machine, retraced my steps, and about a minute later . . . blam . . . programs dropped and executed on my machine."
After rebooting the unpatched PC, he discovered when he started "IE and went to my home page, I got extra copies of the browser starting and ads being served." A check of whois, he said, revealed the adware was coming from a "prominitions" website, which was downloading adware and spyware to vulnerable machines.
But "it's not clear who owns it," Thompson said. "Its ownership is hidden by one of anonymizing Internet registrars.
"You'd normally expect to see this sort of stuff if visiting websites of ill repute, such as pornographic websites," Thompson said. "You wouldn't expect to see them on something innocent" such as Facebook.
Windows PCs of users who have not installed Microsoft patches MS06-140 and MS-06-142 from September 2006 are vulnerable to the exploit, according to Thompson. Those patches cleared up a variety of remote data services exploits, he explained.
"Anybody who is patched is perfectly safe," Thompson said. He added, however, that many organisations do not "patch automatically because they tend to have homegrown applications" that conflict with some of the patches.
In these situations, "People checking their Facebook pages at work could easily get adware on their PC.
"The issue is the web is the emerging battleground," Thompson said. "People need to be aware that others are trying to get into their computer that way. The underlying message: Make sure you're automatically patching your computer, and it's a good idea to install something like anti-exploit software."
"The ad in question violated Facebook's ad guidelines and was removed from the site," a Facebook spokesman said. "Facebook is also working closely with the international ad network that served the ad to ensure that future ads meet its strict guidelines for appropriate and safe advertising."
See original article on SC Magazine US
Ads on Facebook serving up adware
By Jim Carr on Sep 19, 2007 1:35AM