Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday.
Automatically sign up today!


Stefanie Olsen

Staff Writer, CNET

Hackers are using blogs to infect computers with spyware, exposing serious security flaws in self-publishing tools used by millions of people on the Web.

The problem involves the use of JavaScript and ActiveX, two common methods used to launch programs on a Web page. Security experts said malicious programmers can use JavaScript and ActiveX to automatically deliver spyware from a blog to people who visit the site with a vulnerable Web browser.

Spyware tools also have been hidden inside JavaScript programs that are offered freely on the Web for bloggers to enhance their sites with features such as music. As a result, bloggers who use infected tools could unwittingly turn their sites into a delivery platform for spyware.

“It is one more link in the commerce chain of illicit adware,” said Richard Stiennon, chief of technology at Webroot Software, a maker of anti-spyware technology.

“If auto-generated Web sites such as blog sites allow the inclusion of ActiveX and JavaScript, they are a great place for spyware writers to try to induce the blogger or Web page owner into including some active code,” he said.

Spyware has plagued Web surfers and companies in recent years. Creators of malicious code take advantage of security vulnerabilities in e-mail software, Web browsers and desktop applications to spread code used to siphon personal information or litter a PC with advertisements. Now such rogue outfits are using blogs as a tool to increase their number of installations.

The problem only affects Web surfers using Microsoft’s Internet Explorer who fail to choose the highest IE browser security settings, security experts said.

The blog vulnerability has cropped up most visibly in Google’s Blogger, the most widely used blog-publishing tool. But it could affect other services as well.

“It is one more link in the commerce chain of illicit adware.”

–Richard Stiennon, chief of technology, Webroot

Visitors to Blogger‘s network have complained that they were exposed to infected sites when they used the “Next Blog” link. The feature was designed to help people discover new journals and takes Web surfers to a random Blogspot site.

“They left the back door wide open,” said Ben Edelman, a Harvard University researcher who has documented the vulnerability on his site, referring to Blogger.

A Google representative responded by saying the company is “aware of this issue and we are looking into it.”

Visitors to Blogger sites at say they have been targeted with pop-up ads seeking to deliver malicious code to their computers. One ad erroneously warns people that their computers are vulnerable to spyware and prompts them to click the ad to protect themselves. Clicking the ad launches a download that infects a machine with spyware.

At least one Blogger visitor has charged that his computer was hit by an automatic download that did not require him to click on anything to become infected.

The alleged victim, an attorney at Mallory & Tsibouris, has published a cautionary note on the company’s Web site: We do “not endorse the use of the ‘Next Blog’ at the upper right hand corner of this blog.”

Edelman said that one major culprit of malicious code was a service called, which lets people add music to the Web sites in the form of a couple lines of JavaScript code. Bloggers using Blogspot might embed the iWebtunes code into their template and then pass on the spyware unwittingly to visitors to their site.

iWebtunes will likely get a fee each time it spreads the spyware or it might benefit from the sale of advertising. The bloggers, on the other hand, will get nothing.

Attempts to contact iWebtunes were unsuccessful. The company does not publish contact information on its Web site and uses a third party to protect its identity in the Whois database, the public registry of Web site owners. The company provided a phone number in its Whois registration, but the number was busy for several hours on Wednesday morning.

Google is hardly the only one to blame in this scenario. Microsoft has long been criticized for security weaknesses that let code writers take advantage of its Internet Explorer, the most widely used Web browser.

“You could blame users for clicking on the pop-up, blame Microsoft for designing the insecure software installation system, blame iWebtunes for delivering the pop-ups, or you could blame the blog’s author for embedding iWebtunes,” Edelman said.

Webroot’s Stiennon advises people to switch to the Mozilla Foundation’s Firefox Web browser for reading blogs. Either do that, or change IE security settings to deactivate ActiveX or JavaScript in the Web browser, he said.