Descriptive Problem Summary:
Issue: Third party advertisements and use of aged ie-based infrastructure. It is entirely possible for the ad publishers that you display content from to send malicious code through your pager and/or the connecting screen. Just the other day I had an ad masquerading as Flash attempt to MODIFY SYSTEM FILES to the point where it REQUIRED AUTHORIZATION FROM DEP to MODIFY SYSTEM FILES.
It actually popped up a dep query, and of course I clicked No. On windows XP, however, this can probably execute without any issue.
Further, many ads fail to completely show secure content and instead pop up a dialogue wondering if you want to display the little bit of secure content that came through. There were also some script-running errors I'd ran into.
Numbered Steps to Reproduce Problem:
1. Attempt to play byond games. Random which ad you get.
Code Snippet (if applicable) to Reproduce Problem:
Expected Results:
A secure ad-delivered experience that byond needs to shove into my face for some reason.
Actual Results:
Malware and security holes.
Does the problem occur:
Every time? Or how often?
Only when a third party ad is malicious.
In other games?
Its byond pager/dream seeker.
In other user accounts?
Of course.
On other computers?
Only if they're windows.
When does the problem NOT occur?
When the third party ad is not Malicious (yeah right)
Did the problem NOT occur in any earlier versions? If so, what was the last version that worked? (Visit http://www.byond.com/download/build to download old versions for testing.)
Worked fine on the stable version. That wasn't full of third party ads.
Workarounds:
Don't use byond beta pager.
ID:1261244
 May 10 2013, 7:12 pm
|
|||||||||||||
| |||||||||||||
This issue was "hidden for security reasons" but as it is obviously of critical importance I want to open it up here. We are very adamant about ensuring that BYOND never spreads malware, and have put a lot of work into preventing the recent "malvertisement" trend. We will look into this further to be absolutely confident this isn't an issue before going public with this release. But, outside of the OP's disturbing report, I see no evidence of it nor see any vulnerabilities in our code due to the way we prevent exploits (we may have to look into shoring up flash ads or blocking them at least in the static display, if there is a flash issue).
I would like to know if anyone has had any problems with this; eg malware or virus alerts since running the beta. | |
I found a bad ad from one of our providers. It didn't actually harm the system but it was clearly somewhat scammy and misleading, and it launched a popup which is unacceptable. We're putting in some further safety measures to ensure no non-click popups at least. I'm also leaning towards losing the static ads on the pager interface to start (keeping the intestitials, which are generally videos and subject to a more aggressive standard from the ad supplier).
I'd still be interested in any experiences or feedback here. I hope you all understand why we are going with the ad approach. | |
Tom changed status to 'Unverified'
| |
No point in ads if you cant even play the game to try it for new players joining.After awhile they will get sick of byond not lettingthem play anything thus losing potential customers
| |
Obviously we don't intend for the ads to block game access and are trying to fix any remaining issue (the latest release should have solved the problems for most people). If you are having a problem still, please report it here: ID:1272434. Make sure you are running the latest release from http://www.byond.com/download
| |
Hopefully it has places not loading right fixed
| |
We went to great lengths to deal with any possible exploits; our research showed that the modern malvertisements used a java exploit, and that led to us disabling java in our IE implementation. If there are flash exploits those would also be problematic in non IE browsers.
The script running errors should not occur in version 1183+ (please post the # you are actually running since "latest" does not give us context). These are not cases of malware but simply improper javascript that is fairly common in ads; most browsers ignore this but IE does not by default, so we have made a specialized exception in 1183.
I would prefer not to run ads but we are not generating any money otherwise and this is the only way to get a contribution from the majority of users to keep this project alive. We will not require the new pager but it will be the only way to use messaging in the future.
Obviously blocking malicious ads is a priority but I have yet to see one nor have any of the publisher ads been flagged. We were concerned in much earlier testing by what was likely a red herring-- we did get an antivirus alert alluding to a rather outdated java exploit (this may not have come from these ads though); as noted above, java is disabled so this particular case is not an issue. Note that our ads are all delivered through our website so malvertising would affect us sitewide and likely get us flagged.
I am looking into tools that will allow us to prescreen ads, as well as to gauge the reputation of out ad networks to see of there is a history of this. We want users to have the confidence to know that BYOND is spyware free and aren't going to change that now; if there is any issue here at all and we can't solve it, we'll scrap this approach even if it may led to the demise of the business.