Microsoft moves to mitigate man-in-the-middle malvertising

Microsoft hopes to mitigate malvertising
Microsoft hopes to mitigate malvertising

Microsoft has announced that with effect from March 31, 2016, it will enforce new adware objective criteria in an attempt to mitigate the evolving malicious advertising threat landscape.

The moves by Microsoft will be looking to address the particular problem of ad injection software whereby automated advertising networks are tricked by threat actors into delivering ads complete with embedded malware.

"Ad injection software has evolved, and is now using a variety of ‘man-in-the-middle' (MiTM) techniques. Some of these techniques include injection by proxy, changing DNS settings, network layer manipulation and other methods. All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser. Our intent is to keep the user in control of their browsing experience and these methods reduce that control," said Barak Shein and Michael Johnson from the Microsoft Malware Protection Center in a Threat Research & Response Blog posting.

Microsoft says it will "encourage developers in the ecosystem to comply with the new criteria" and that "programs that fail to comply will be detected and removed." In other words, Microsoft will classify ad injection software using man-in-the-middle techniques as malware.

So, if we've understood this correctly, adware will need to be installed as a removable browser plugin. Whilst this could help in a Lenovo Superfish scenario, where the security hole it created was left active even after uninstallation, we cannot help but wonder how this will help in the overall fight against the malvertising threat, in a meaningful way?

SCMagazineUK.com took these concerns, and the Microsoft mitigation tactic, to the IT security industry at large to see what it thought.

There was a broad measure of support for Microsoft, as summed up by Paul Ducklin, senior technologist at Sophos who said, "If you've ever done any hiking, you'll know how much more confident you feel about an outing when visibility is good. The hills are just as steep, and the descents hammer your knees just as much, but knowing where you stand is extremely helpful. This move by Microsoft will help to provide clarity in the journey against malicious and unwanted ads."

Chris Boyd, malware intelligence analyst at Malwarebytes, said he thought that while pre-installed adware on new PCs has always been an issue, "with this change Microsoft could be seen as throwing down the gauntlet where the great unknown of a supposedly 'factory clean' computer is concerned".

All too often, we've seen major vulnerabilities roll onto the shop floor because of poorly programmed adware. "This will hopefully make PC manufacturers more cautious about what pre-installation deals they make," Boyd insisted, "and impact everything from broken apps to questionable adverts and potential security holes as a result."

Ilia Kolochenko, CEO of High-Tech Bridge, was equally positive about the moves, telling us, "Microsoft is definitely on the right way of blocking intrusive ads. It's a pity that they haven't done this long time ago. This change may significantly decrease the number of malvertising campaigns. It would also be helpful to make some awareness both for users and companies to explain that business models based only on selling ads cannot be sustainable (except if you are not Google)."

Not everyone agrees though. Take Robert Hansen, VP WhiteHat Labs, WhiteHat Security who warns that while this is seen as a good move in general, it doesn't actually change much. "Ad injectors don't need to follow Microsoft's rules, and aren't thwarted by them," Hansen explained to SCMagazineUK.com. "In this case, Microsoft has an ad platform, and has a vested interest in making sure ads are seen and are not modified by adversaries. So it would make sense that they would take a blacklist approach to ads, which has been proven to be a failed security model since time immemorial."

Ryan O'Leary, senior director of Threat Research Center, also at WhiteHat Security, added, "Microsoft is simply putting down on paper some rules to follow but, if you're the one creating the malvertising, a ruleset isn't really a deterrent for you. These ads will continue to make it onto the users' systems. The only real benefit is Microsoft will now be policing them and hopefully the ads will be taken down much quicker than they would have. In the grand scheme of things, I don't believe this will change the current malvertising landscape."