Two internet security firms have reported that Yahoo's advertising servers have been distributing malware to hundreds of thousands of users over the past week.
The attack appears to have been the work of malicious parties who have hijacked Yahoo's advertising network.
Fox IT, a security firm based in the Netherlands, described the problem in a blog post on Friday. "Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious," the firm reported. Instead of serving ordinary ads, Yahoo's servers reportedly sent users an "exploit kit" that "exploits vulnerabilities in Java and installs a host of different malware."
300,000 users per hour
Fox IT says Yahoo users have been getting infected since at least December 30 2013. At the time it discovered the issue on Friday, the firm says, malicious payloads were being delivered to around 300,000 users per hour. The company guesses that around 9 percent of those, or 27,000 users per hour, were being infected. More recently, the firm says, the volume of infections has tapered off, perhaps due to efforts by Yahoo's security team.
A researcher, also in the Netherlands, has confirmed seeing the malware. The fact that the malware targeted flaws in a Java programming environment is a further reminder that the software is not entirely secure.
As Java's Web plugin has declined in popularity among legitimate Web developers, its security flaws have become a juicy target for hackers. Some browser vendors are moving toward blocking the technology outright. Security experts recommend that if your browser supports it, you should disable Java as a precaution.
A Yahoo spokeswoman said: "We recently identified an ad designed to spread malware to some of our users. We immediately removed it and will continue to monitor and block any ads being used for this activity."