Malware in ads

I was having a lot of problems with ads on the site crashing either the JS or Flash engine on Chrome (for Mac). In the thread about it (I wanted to complain that the problems were still occurring, but Chrome kept crashing or becoming unresponsive), I saw that some posters were complaining about their computers being infected with malware as a result of some of the ads. What is the nature of this malware? Is it attempting some kind of javascript attack like XSS or CSRF, or is attempting to inject malware on the system through buffer over/underrun issues that I hear plague flash? Is this Windows-only malware?


Not an expert, but my own experience suggests that Firefox is easily the best browser for this website. I get no ads at all here when using FF. I got all kinds of crap when using Chrome. Moreover, Chrome in general, which used to be a great browser, seems to be more glitchy as of late, particularly if you have extensions such as Chromecast, Adobe, or others. It’s not just a Straightdope problem. Chrome generally seems to be getting a rather bad case of the suckage.

I used Firefox for many years, but a few months ago switched to Chrome. But in both of those browsers, I added AdBlockPlus. That takes care of all the annoying ads on this site and many others, including those ads that infect you with malware.

I can’t imagine using a browser with an Ad Blocker. I was in the hospital some months ago, and used a computer in the lounge to access some of my regular websites. It used Microsoft’s IE browser, with no adblocker. I was astounded with the amount of distracting & annoying ads that I didn’t even know about.

How can people stand browsing the web without an AdBlocker?

Malware is often put in an ad in a one-pixel-by-one-pixel script that calls another website to download and run the file. You can’t see it and the original graphic didn’t have it, so it wasn’t noticed. It has the effect of visiting the bad website. It’s also easy to do.

A pixel and a script are independent. A 1x1 image from another site is used for various tracking purposes and such. But it won’t directly deliver malware.

A script doesn’t have to render squat on the screen. No need to hide it visually on the page. And scripts from other sites are the plague of web browsing. Many sites run scripts from dozens of other sites. Ads, tracking, “like” buttons, etc.

The Ghostery add-on is scarily informative about what goes on behind page loading.

But JS in the browser can’t access the file system. It also can’t run arbitrary code, unless it is exploiting some sort of bug in the browser or a plug in, right?


It can access a small bit of the file system: cookies, persistent storage and some other odd and ends. In addition, with user permission, it can read any user accessible file for things such as uploading a file, etc. Similarly, it can save a file to a download directory.

No “normal” part of a web page has automatic permission to access the overall file system. Not in JS, Java, Flash, etc. But the abnormal happens all the time. Hence having to upgrade Flash every week or two.

(There’s Yet Another Serious New Bug in Flash just discovered. An update to fix it, maybe, was just released.)

The best fix to Flash is already built into the Operating System – go to the “Add/Remove Programs” and click on Remove.

You won’t miss it.
The better browsers have replacements included, and good websites are converting to the standard HTML5 instead of the proprietary Flash. For anywebsite that only works with Flash, find another website with the same products that doesn’t need Flash.

I use Edge because it downloaded with Win 10, but I do have the others. I’ve had problems with this website too. Kaspersky tells me that the certificate for this site has not been authenticated and I can read it at my own risk.

Actually, the latest version of Internet Explorer downloaded with Win 10, too. It’s just hard to find compared to Edge because Microsoft wants to switch people to Edge.

I know. I have IE and Chrime also. I just like Edge.

I also had problems with shockwave flash so I turned it off (Mozilla).