\ Spectre in the Advertising Ecosystem
Feature: Page (1) of 1 - 01/23/18

Spectre in the Advertising Ecosystem

By Chris Olson, CEO and Cofounder of The Media Trust


Communicated to the world on January 3, Spectre is a troublesome, potentially damaging vulnerability discovered in microprocessors that allows the surreptitious capture of passwords and sensitive data. To put the severity of this problem into perspective, almost every networked device made in the past 20 years is vulnerable to Spectre(1), including those that run the global digital ecosystem-from brands, advertising/marketing technologies to websites and consumer browsers. 

With this microprocessor vulnerability, memory and supposedly protected data like passwords could be accessed by malicious JavaScript. Patching these vulnerabilities can be a complex challenge, and in some cases patches have caused tangible performance issues. Even worse, manufacturing new microprocessors that would solve these vulnerabilities could take years.




Reality of advertising ecosystem compromise
For the advertising industry, the threat does not seem obvious. However, industry researchers conducted proof-of-concept attack scenarios using just a few lines of JavaScript and C programming code to highlight the potential risk.

Many malvertizers employ JavaScript as their main source of malicious code execution, and implementing this malicious JavaScript on a host vulnerable to the Spectre is possible. In theory, an exploit could breach a host's environment and access data handled by a device's processor. This means, therefore, that a compromised advertisement or content served to a website could potentially collect data stored on the user's device (individual accessing a website) such as passwords and sensitive files like banking information, personnel data, and intellectual property.

Should bad actors determine how to leverage this vulnerability, they will most likely execute on a large-scale basis, affecting a vast network of hosts as opposed to targeting individual machines. Digital industry participants should adopt a defensive posture and pay close attention to all code flowing through or executing in their digital environments. Upon detection of anomalous code, publishers and their upstream partners need to immediately terminate it. To broaden communication and mitigate an emerging attack, these groups should share all relevant data with their entire digital ecosystem.

Ad blocking: False Security
To defend against a device infection, some researchers have advised users to implement ad-blocking tools(2). However, while these tools may stop the creative from rendering, they don't stop all ad-related code from executing in the background. In addition, some ad blocking tools still serve ads albeit at a less frequent rate.

Antivirus and server-side blocking solutions are almost completely defenseless against Spectre as they rely on blacklists or known malware strings. In the highly-dynamic digital environment, a Spectre-related attack can develop and transform within seconds causing irreparable harm to both the website operator's brand and the consumer's device.

When defense is an offense
While a Spectre attack has not been detected in the digital advertising ecosystem, the ammunition exists, and it can be loaded and fired at any moment. Now, more than ever, organizations need a firm grasp of their website environment, a complex task that is difficult to master. Not only do traditional security products fall flat, but also the security capabilities of various digital providers like tag managers, ecosystem mappers and consent platforms are lacking.

The best digital defense against Spectre and other web-based malware attacks is to prohibit the execution of all unknown code on the corporate website. This means identifying all code and the vendors that bring it, including functionality provided by third parties in the form of content recommendation engines, commenting services, data management platforms, social media widgets, video platforms and more. 

Every domain, its activity and relevance to overall functionality, must be analyzed closely. Terminate anything not germane to serving the requested content or advertisement. In addition, if unwanted code is served from a fourth or fifth party provider, they too should be made aware of the situation with a request to have it removed from their environment as well. Otherwise, the malicious code will continue to propagate in the broader ecosystem and wreak havoc for others.

Defensive strategies require control of the corporate digital environment, which can reduce liability while ensuring the integrity of a corporation's brand reputation and customer satisfaction. It also means the Spectre of today won't lead to an even bigger specter tomorrow.


1 https://www.csoonline.com/article/3247868/vulnerabilities/spectre-and-meltdown-explained-what-they-are-how-they-work-whats-at-risk.html

2 https://www.lawfareblog.com/spectre-advertising-meltdown-what-you-need-know 

Chris Olson is CEO and Cofounder of The Media Trust, the global leader in monitoring and protecting the online and mobile advertising ecosystem. The Media Trust works with the world's largest, most-heavily trafficked digital properties to provide real-time security, first-party data protection and privacy, performance management and quality assurance solutions that help protect, monetize and optimize the user experience across desktop, smartphone, tablet and gaming devices. is CEO and Cofounder of The Media Trust, the global leader in monitoring and protecting the online and mobile advertising ecosystem. The Media Trust works with the world's largest, most-heavily trafficked digital properties to provide real-time security, first-party data protection and privacy, performance management and quality assurance solutions that help protect, monetize and optimize the user experience across desktop, smartphone, tablet and gaming devices.

Related Keywords:Spectre

Source:Digital Media Online. All Rights Reserved

Our Privacy Policy --- @ Copyright, 2015 Digital Media Online, All Rights Reserved

Webmaster
Privacy.