Grauw’s blog

Last saturday the Swiss advertising provider Falk AG has been hacked to spread a virus through its ad servers. This virus, called Bofra makes use of a security vulnerability in Internet Explorer which exists in all versions except on computers with the Windows XP SP2 (service pack 2) installed. Basically everyone who visited a page with ads from Falk AG last saturday between 18:10 and 0:30 o’clock has a chance of 1/30 (per page) of having been exposed to it.

Falk AG’s advertising service is used by some very popular Dutch sites owned by Ilse, most prominently Startpagina.nl (a portal site), nu.nl (a news site) and the Ilse search engine (which is next to Google the most popular search engine in the Netherlands). Another affected site is The Register, a popular IT news site, and there are probably many more I don’t know about.

Now a probability of 1/30 doesn’t seem like much, but because of the fact that this probability counts for every page you visit on one of these sites, and that the virus was active during prime internet time (saturday evening) strongly increases this chance.

Additionally, the sites affected by this are really popular and visited frequently. Many people have one of these pages as their start page (in particular startpagina.nl and ilse.nl), which means that the site will be opened every time a new browser window is opened. And the nu.nl site automatically refreshes itself every 5 minutes, so even if you just left a single page of their site opened in the background for a couple of hours and did nothing with it, your computer would still very likely be infected by the virus.

Now let’s do some loose probability calculation... Even on a technical site like w3schools the share of Windows OS-es older than Windows XP is 30%, and I’d say for non-technical sites like the aforementioned ones this will be more. So about 50% of the visitors of those sites is running Windows 2000, Windows 98 or lower, with no way to upgrade to Internet Explorer 6.0 SP2 except for installing a new OS (which costs a fair amount of money), and all these people are vulnerable. Of the people who do have SP2 I estimate about half still hasn’t upgraded to SP2. They are vulnerable as well.

My estimate is that about 50% of the people using startpagina.nl, ilse.nl and nu.nl have been infected with this virus now. That’s a terrible lot of people, even if the percentage is less.

Sad as it may be, maybe this will make people finally realize that keeping your OS up-to-date is really important, and moreover that Internet Explorer is a bug-ridden creature which leaves you vulnerable, even if you don’t visit obscure underground sites or something.

If you have a Windows OS older than Windows XP, the only way to protect yourself against such security holes is by either upgrading the OS, or switching to a different browser, such as Mozilla Firefox (NL). If you are using Windows XP, you should upgrade to SP2 as soon as possible if you haven’t done so yet, and even then I would advise you to use the Firefox browser, because Internet Explorer still has some unresolved security issues, and more will appear in the future.

Note that with Firefox, too, it is important to run the latest version in order to ensure your browser is secure. So if an update notification window is shown, be sure to click on it or on the update icon which appears in the top right of your window, next to the throbber.

More information about the virus attack can be found on the following pages:

• Startpagina.nl virus alert
• Bofra exploit hits our ad serving supplier (The Register)
• Falk statement on Bofra attack (The Register)