more on Bofra exploit hits The Register ad serving supplier

[David Farber <dave () farber net>]

Begin forwarded message:

From: Peter Lowe <pgl () yoyo org>
Date: November 23, 2004 8:28:55 PM EST
To: David Farber <dave () farber net>
Cc: Ip <ip () v2 listbox com>
Subject: Re: [IP] Bofra exploit hits The Register ad serving supplier

[ For IP, if you like. ]

The Register also have a notice up about ad service being restored:

        http://www.theregister.co.uk/2004/11/23/register_restores_adserver/

Register restores ad service
By Team Register
Published Tuesday 23rd November 2004 09:24 GMT

Site Notice On Saturday, The Register suspended service by third party
ad serving supplier, Falk, following security issues detailed [1]here.

Today we have restored the service, after satisfying ourselves that this
problem is fixed. Falk's statement on what went wrong is [2]here.

Our thanks for all your emails. We appreciate the kind words and note
the performance issues that many of you raise. We will be seeking to
address this in coming weeks.

At a rough guess, the number of Reg readers exposed to the Bofra /IFrame
exploit was in the low hundreds. We have no means of estimating how many
of these were protected by firewalls or anti-virus software protection.

During the period Falk's service was compromised - between 6.10am and
12.30pm on Saturday, 11660 unique individuals using Windows and IE6
visited The Register. We haven't drilled down the different flavours of
Windows, but we assume that the majority were not on Windows XP SP2
boxes. Reader with Windows XP SP2 are protected from the Bofra /IFrame
exploit, along with the rest of the non-Windows world. On average
readers looked at three pages a pop. So that's around 35,000 pages in
which the rogue ad could have been served. According to Falk, one in 30
requests for a banner ad were redirects to the site containing the bofra
worm. If this is correct around 1,170 rogue ads were served on our site.

We apologise again for exposing readers to this. We also urge readers
using IE on Windows to switch browsers, at least until the iFrame
exploit is patched properly.

Here is advice from McAfee on removing the Bofra worm. Ž

[1]http://www.theregister.co.uk/2004/11/21/register_adserver_attack/
[2]http://www.falkag.com/news.php?Id=26
[3]http://us.mcafee.com/virusInfo/default.asp? 
id=description&virus_k=129629

On Nov 23, David Farber wrote:
> Begin forwarded message:
>
> From: Monty Solomon <monty () roscom com>
> Date: November 23, 2004 9:20:27 AM EST
> To: undisclosed-recipient:;
> Subject: Bofra exploit hits The Register ad serving supplier
>
> http://www.theregister.co.uk/2004/11/21/register_adserver_attack/
>
>
> Bofra exploit hits our ad serving supplier
> By Team Register
> Published Sunday 21st November 2004 16:18 GMT
>
> Important notice
>
> Early on Saturday morning some banner advertising served for The
> Register by third party ad serving company Falk AG became infected
> with the Bofra/IFrame exploit. The Register suspended ad serving by
> this company on discovery of the problem.
>
> Bofra/IFrame is a currently unpatched exploit which affects Internet
> Explorer 6.0 on all Windows platforms bar Windows XP SP2. If you may
> have visited The Register between 6am and 12.30pm GMT on Saturday,
> Nov 20 using any Windows platform bar XP SP2 we strongly advise you
> to check your machine with up to date anti-virus software, to install
> SP2 if you are running Windows XP, and to strongly consider running
> an alternative browser, at least until Microsoft deals with the issue.
>
> We have asked Falk for an explanation and for further details of the
> incident, and pending this we do not intend to restart ad-serving via
> the company. Falk will, we understand, be making a statement
> regarding the matter on Monday.
>
> Although the matter was beyond our direct control, we do not regard
> it as acceptable for any Register reader to be exposed in this way,
> and wish to apologise sincerely to anyone who was. Further
> information about this particular exploit is available here or here.
>
> http://www.theregister.co.uk/2004/11/04/ie_iframe_vuln/
>
> http://www.theregister.co.uk/2004/11/10/bofra_worm/
>
> -------------------------------------
> You are subscribed as pgl () yoyo org
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at:  
> http://www.interesting-people.org/archives/interesting-people/

--
The Czech Republic: Home of the world's finest beer.
Litres drunk by Czechs so far this year: 1,474,727,606.49

 - http://prague.tv/toys/beer/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/