When I worked for Yahoo! there often was discussion about the security filters and controls for an advertisement system (e.g. making ad banners safe for web pages).
Unfortunately this attack vector still poses a problem today. A CNet story explains how a Zeus Trojan steals $1 million from U.K. bank accounts
A computer user is compromised by either visiting a legitimate Web site that is secretly hosting the malware, or a site designed to host the malware, or a legitimate site hosting the malware in an advertisement. The primary attack came through malicious advertisements, including ads delivered by Yahoo’s Yieldmanager.com, the report said.
The malware redirects a Web surfer to an exploit kit, either the Eleonore Exploit Toolkit or the Phoenix Exploit Toolkit, that then exploits a vulnerability on the surfer’s computer and drops the Trojan on the machine. The Eleonore Exploit Toolkit includes exploits for vulnerabilities in Adobe Reader, Java, and Internet Explorer, among others.
Filtering code allowed into an advertisement is a solution that is tempting to pursue. Consider, however, that after decades of research there are still 4% detection rates (yes, 4%, as I wrote about a couple years ago) for some anti-virus software. An investment in “black list” filtering for code is expensive yet still may not end up with the necessary protection.
Thinking about the other extreme — “white list” filtering — brings a bigger issue into focus. Why are financial institutions are allowing third-party code, let alone advertisements, onto sites that manage bank accounts? Do banks need advertising dollars more than they need safe web sites? Perhaps someone missed the memo on secure code and the weaknesses in trust domains.