Welcome to Reality, New York Times

Last weekend, some users were unpleasantly surprised to find that the New York Times was serving up malware ads of the type you might expect to find on a sleazy blog site. The ads showed a fake virus scan and tried to force the user to install a fake virus cleaner.The Times said the malware ads were able to appear because the company placing the ad represented themselves as a national advertiser. As is common practice on many sites, the Times web pages served the actual ad content off the advertisers site. Even if the Times required pre-approval of ads, serving them off the advertisers site means that they lost control of what was being served. The Times web site served benign ads for the company last week without any incident, but once the weekend arrived the ads turned ugly. No doubt the advertiser realized that malicious ads would last longer during the weekend when a skeleton crew was on duty.

As a result of the incident, the Times says that it will now require all ads to be served off its own web site. That way the advertiser won't be able to change content without approval. That's a great -- but belated -- step for the Times to take. What about other web sites though? Lots of web sites use third-party advertising networks, and those sites have essentially no control over the ads that are served. Sometimes the ad is an open-ended script tag, which gives an external site the ability to run arbitrary Javascript on the site. Should web sites be depending on ad networks to vet the ads that appear on their sites? This weekend's incident at the New York Times site shows that there certainly are advertisers out there that can't be trusted.