Jesse Stay, brought to my attention earlier, with the screenshot below the code, that Adobe was activating pop-ups through Google Adsense; of course this shouldn’t happen, since Google doesn’t allow such actions, in their ads. I went to check in out for myself, and got nil. I immediately assumed that it was limited to Mac, and went in search of the User-Agent check, and found it after about 5 minutes.

Update: The rest of this article is a bit technical, if you would like a less technical description, you should go read Adobe and Google Sitting in a Tree.

Below is the source of the issue:

document.write('<!-- Template Id = 2,593 Template Name = Banner Creative (Flash) - In Page --><!-- Copyright 2006 DoubleClick Inc., All rights reserved. --><script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('

'); function DCFlash(id,pVM){ var swf = "http://s0.2mdn.net/1295336/Adobe_Flash_WeLoveTechStandAlone_300x250_std.swf"; var gif = "http://s0.2mdn.net/1295336/Adobe_Flash_WeLoveTechTandem_300x250_img.gif"; var minV = 8; var FWH = ' width="300" height="250" '; var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/399a/f/16c/%2a/z%3B224918296%3B0-0%3B0%3B48697163%3B4307-300/250%3B36759992/36777870/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l&ai=B7rXGceHsS9PODOThlQfNrvjSDe_sysIBAAAAEAEgr86-CjgAWM_pofIUYMnO7Y2ApfgRsgEOdGVjaGNydW5jaC5jb23IAQnaATRodHRwOi8vdGVjaGNydW5jaC5jb20vMjAxMC8wNS8xMy9jaHJvbWUtb3MtcHJvZ3Jlc3MvmAJkwAIC4AIA6gISVGVjaGNydW5jaF8zMDB4MjUw-AL00R6QA-ADmAOsAqgDAeAEAQ&num=0&sig=AGiWqtxB0NIJCJR5KJ5OngVkuvd_Qw20Dw&client=ca-pub-6181816114362650&adurl=http%3a%2f%2fwww.adobe.com/choice%3Fsdid%3DGXRVD"); var wmode = "opaque"; var bg = "same as SWF"; var dcallowscriptaccess = "never"; var openWindow = "false"; var winW = 600; var winH = 400; var winL = 0; var winT = 0; if(typeof(encodeURIComponent)=="function"){url=encodeURIComponent(unescape(url));} var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'"'; var bgo=(bg=="same as SWF")?"":'<param name="bgcolor" value="#'+bg+'">'; var bge=(bg=="same as SWF")?"":' bgcolor="#'+bg+'"'; function FSWin(){ if((openWindow=="false")&&(id=="DCF0"))alert('openWindow is wrong.'); if((openWindow=="center")&&window.screen) {winL=Math.floor((screen.availWidth-winW)/2);winT=Math.floor((screen.availHeight-winH)/2);} window.open(unescape(url),id,"width="+winW+",height="+winH+",top="+winT+",left="+winL+",status=no,toolbar=no,menubar=no,location=no");}this.FSWin = FSWin; ua=navigator.userAgent; if(minV<=pVM&&(openWindow=="false"||(ua.indexOf("Mac")<0&&ua.indexOf("Opera")<0))){ var adcode='<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="'+id+'"'+FWH+'>'+ '<param name="movie" value="'+swf+'"><param name="flashvars" value='+fv+'><param name="quality" value="high"><param name="wmode" value="'+wmode+'"><param name="base" value="'+swf.substring(0,swf.lastIndexOf("/"))+'"><PARAM NAME="AllowScriptAccess" VALUE="'+dcallowscriptaccess+'">'+bgo+ '<embed src="'+swf+'" flashvars='+fv+bge+FWH+' type="application/x-shockwave-flash" quality="high" swliveconnect="true" wmode="'+wmode+'" name="'+id+'" base="'+swf.substring(0,swf.lastIndexOf("/"))+'" AllowScriptAccess="'+dcallowscriptaccess+'"></embed></object>'; if(('j'!="j")&&(typeof dclkFlashWrite!="undefined")){dclkFlashWrite(adcode);}else{document.write(adcode);} }else{ document.write('<a target="_blank" href="'+unescape(url)+'"><img src="'+gif+'"'+FWH+'border="0" alt="" galleryimg="no"></a>'); }} var pVM=0; var DCid=(isNaN("224918296"))?"DCF0":"DCF224918296"; if(navigator.plugins && navigator.mimeTypes.length){ var x=navigator.plugins["Shockwave Flash"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}} else if (window.ActiveXObject && window.execScript){ window.execScript('on error resume next

pVM=2

do

pVM=pVM+1

set swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)

loop while Err = 0

On Error Resume Next

pVM=pVM-1

Sub '+DCid+'_FSCommand(ByVal command, ByVal args)

Call '+DCid+'_DoFSCommand(command, args)

End Sub

',"VBScript");} eval("function "+DCid+"_DoFSCommand(c,a){if(c=='openWindow')o"+DCid+".FSWin();}o"+DCid+"=new DCFlash('"+DCid+"',pVM);"); //--> document.write('

<noscript><a target=\"_blank\" href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/399a/f/16c/%2a/z%3B224918296%3B0-0%3B0%3B48697163%3B4307-300/250%3B36759992/36777870/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=l&ai=B7rXGceHsS9PODOThlQfNrvjSDe_sysIBAAAAEAEgr86-CjgAWM_pofIUYMnO7Y2ApfgRsgEOdGVjaGNydW5jaC5jb23IAQnaATRodHRwOi8vdGVjaGNydW5jaC5jb20vMjAxMC8wNS8xMy9jaHJvbWUtb3MtcHJvZ3Jlc3MvmAJkwAIC4AIA6gISVGVjaGNydW5jaF8zMDB4MjUw-AL00R6QA-ADmAOsAqgDAeAEAQ&num=0&sig=AGiWqtxB0NIJCJR5KJ5OngVkuvd_Qw20Dw&client=ca-pub-6181816114362650&adurl=http%3a%2f%2fwww.adobe.com/choice%3Fsdid%3DGXRVD\"><img src=\"http://s0.2mdn.net/1295336/Adobe_Flash_WeLoveTechTandem_300x250_img.gif\" width=\"300\" height=\"250\" border=\"0\" alt=\"\" galleryimg=\"no\"></a></noscript>

'); </script> <script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"> function dclkToObject(id) { if(document.layers){ return (document.layers[id])?eval(document.layers[id]):null; } else if(document.all && !document.getElementById){ return (eval("window."+id))?eval("window."+id):null; } else if(document.getElementById && document.body.style) { return (document.getElementById(id))?eval(document.getElementById(id)):null; } } function dclkFlashWrite(string){ document.write(string); } function dclkFlashInnerHTML(htmlElementId,code){ var x=dclkToObject(htmlElementId); if(x){ if(document.getElementById||document.all){ x.innerHTML=''; x.innerHTML=code; } else if(document.layers){ x.document.open(); x.document.write(code); x.document.close(); } } } </script>

The interesting thing I spotted quite quickly is that it is also going after Opera, don’t ask me why, that’s pretty obscure. I immediately tested it out, just to see, and ended up getting the pop-up.

After looking at the code for about a half hour, I still don’t know what everything is, and exactly how it’s getting past Google, I also don’t know how ad’s are created, because I’ve never bothered to look at it. So I’m not sure, if this is something anyone could execute, or if Google is allowing it. So it’s possible that there is a vulnerability in Adsense.

What I can tell after looking at the code, is that they are targeting Apple, and Opera, users, as well as using javascript to activate flash, in the background.

First they are setting the DCid as either DCF0 or DCF224198296, this should always validate as false and the will set DCid as DCF224198296. Then, it goes on to check if the browser uses plugins and has at least any values, if it results in true it attempts to setup ShockwaveFlash and perform a version check on it, setting the variable pVM to the version number. If that statement failed, it assumes you are using IE and initializes using ActiveX.

I don’t understand exactly what is going on in the eval, so I can’t say much about it, besides it calls DCFlash with the DCid(“DCF224198296”) and the pVM(“Flash Version”).

I apologize if the rest of this is rushed for now, I’m getting a bit tired.

The DCFlash function then initializes an assortment of variables, before setting up the FSWin function.

FSWin checks to see if the window is already open or the DCid was set in error to DCF0, it then checks to see if the window is centered and gather your screen size for offsets on the window border. Following FSWin is the window initialization, which disables all navigation, in that window.

Next, is the User-Agent analysis, which first check to make sure that your current Flash version is at minimum Vers. 8, it then checks to see if you are using either a Mac or Opera, if you aren’t the value is less than 0, returning true, this then compares in with window==”false”, which is true, in an or statement, which will return false, if both are set. If this test of the browser conditions fail, either using an old version of Flash, or using a Mac, or Opera it will default to just the default hyperlinked gif. Otherwise, it sets up Flash to be displayed in the window pain.

During the course, of writing this the test ad I was using has disappeared, but I’ll see if I can gather any more of the code. One thing I found odd, is that the ad was stored within an iFrame, which I couldn’t find with any of Google’s other Adsense ads, I managed to find a representation of using an iFrame, after I woke up.