

The Yahoo logo is shown at the company's headquarters in Sunnyvale, Calif. in this April 16, 2013 file photo. (Robert Galbraith/Reuters)

Two Internet security firms have reported that Yahoo's advertising servers have been distributing malware to hundreds of thousands of users over the last few days. The attack appears to be the work of malicious parties who have hijacked Yahoo's advertising network for their own ends.

Fox IT, a security firm based in the Netherlands, wrote a blog post on Friday describing the problem. "Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious," the firm reported. Instead of serving ordinary ads, the Yahoo's servers reportedly sends users an "exploit kit" that "exploits vulnerabilities in Java and installs a host of different malware."

Ashkan Soltani, a security researcher and Washington Post contributor, alerted me to the issue. Often, he says, such attacks are "the result of hacking an existing ad network." But there's another possibility, he says. The culprits may have simply submitted the malicious software as ordinary ads, sneaking past Yahoo's system for filtering out malicious submissions.

Fox IT says Yahoo users have been getting infected since at least Dec. 30. At the time it discovered the issue on Friday, the firm says, malicious payloads were being delivered to around 300,000 users per hour. The company guesses that around 9 percent of those, or 27,000 users per hour, were being infected. More recently, the firm says, the volume of infections has tapered off, perhaps due to efforts by Yahoo's security team.

"It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated," the firm writes. Fox IT suggests that whoever is behind the attack may be selling control over the victims' computers to other online criminals.

Another security researcher based in the Netherlands, Mark Loman, has confirmed seeing the malware. His firm, Surfright, makes anti-virus software.

The fact that the malware targeted flaws in the Java programming environment is an important reminder that the software has become a security menace. When it was created almost two decades ago, the Java programming language was hailed as a way to make Web sites more interactive. But it has been largely superseded for this purpose by technologies like Flash and JavaScript.

As Java's Web plugin has declined in popularity among legitimate Web developers, its security flaws have become a juicy target for hackers. Some browser vendors are moving toward blocking the technology outright. And security experts recommend that if your browser supports it, you should disable Java (but not JavaScript, a completely separate technology) as a precaution.

Update: "At Yahoo, we take the safety and privacy of our users seriously," a Yahoo spokeswoman said in a Saturday email to the Washington Post. "We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity."

Update (January 5): Yahoo now says that Mac and mobile users, as well as users in North America, were not affected by the attack.