Unpatched PCs running Internet Explorer could fall victim to adware when visiting social networking site Facebook.
Security researcher Roger Thompson got a surprise the other night when he borrowed a computer to view a friend's Facebook blog -- Internet Explorer wanted to download some malicious Microsoft Data Access Components (MDAC) objects. That didn't seem right, so he tried another computer, and said "I got extra copies of the browser starting, and ads being served."
Thompson is no stranger to such tricks. He heads Exploit Prevention Labs, a company that specialises in finding and mitigating browser exploits found on Web pages.
This attack really surprised him. It uses an exploit of MS06-014, which means if your computer has been updated with the latest patches from Microsoft issued since September 2006, you won't experience a thing. But if you haven't updated your Windows computer in more than one year, you'll be subjected to a barrage of unwanted adware.
On vulnerable machines, Thompson found that the banner ad on Facebook makes a call to bannerconnect, bannerconnect makes a call to yieldmanager, yieldmanager makes a call to valuead, and valuead makes a call to megapromition, which throws an exploit (MS06-014) and runs an adware installer.
Thompson's latest blog explains the whole process in greater detail. The end result is that once infected, your Internet Explorer home page displays additional windows serving various ads.
This is a very typical example of what happens to "un-savvy" web users. They don't patch their machines, and get infected, because they use a very insecure browser.
I personally, can't wait until the day where major websites will simply stop allowing users to visit their website with IE6 and older. IE7 and Firefox (and Opera 9 and pretty much any other browser that gets updated on a regular basis) are much better alternatives when looking at browser security.
Browser wars aside, it's a sad reality that users still heavily underestimate the importance of regularly updating their machine, or using alternative software that offers better security. IMHO this has a lot to do with most users not being educated enough on the very basics of computer security.