Attackers have bombarded the Internet with more than 1 billion malicious ads in less than two months. The attackers targeted iOS and macOS users with what were zero-day vulnerabilities in Chrome and Safari browsers that were recently patched, researchers said on Monday.
More than 1 billion malicious ads served in the past six weeks contained exploit code that redirected vulnerable users to malicious sites, according to a post published by security firm Confiant. The surge of malicious ads exploited a Safari vulnerability in both iOS and macOS, as well as a Chrome vulnerability in iOS.
“Staggering volume”
"If we take a snapshot of eGobbler activity from August 1 to September 23, 2019, then we see a staggering volume of impacted programmatic impressions," Confiant researcher and engineer Eliya Stein wrote. "By our estimates, we believe up to 1.16 billion impressions have been affected."
To generate successful redirects, eGobbler was exploiting what had been a zero-day vulnerability in Webkit, the browser engine used in Safari and that shares code with Blink, the Webkit fork used for Chrome. The vulnerability existed in a JavaScript function (known as the onkeydown event,) which occurs each time a user presses a key on the keyboard. Tracked as CVE-2019-8771, the vulnerability allowed ads linked in HTML tags known as iframes to break out of security sandbox protections that prevent a user from being redirected without explicitly initiating it.
"The nature of the bug is that a cross-origin nested iframe is able to 'autofocus' which bypasses the 'allow-top-navigation-by-user-activation' sandbox directive on the parent frame," Stein wrote. "With the inner frame automatically focused, the keydown event becomes a user-activated navigation event, which renders the ad sandboxing entRead More – Source
