After sending test data to about 50,000 computers in July and August 2007, the researchers said Internet service providers apparently have been infusing advertisements into Web pages on their networks. The researchers also reported that various Web-browsing and ad-blocking programs actually infect pages with security weaknesses.
University of Washington doctoral student Charles Reis noted in the paper that the Web is "wilder than we originally expected."
Reis and a researcher at the International Computer Science Institute wrote software that tested whether visitors to a test page on the University of Washington's website were viewing HTML that had been altered in transit, according to TechWorld.
On 16 occasions, ads were injected by a visitor's Internet service provider.
"We're confirming rumors that were in the news last summer that ISPs had been injecting these ads," Reis said.
However, an XO Communications spokesman said the company does not insert ads into pages. He said any ad injection linked to XO Communications' network probably was done by a "downstream" service provider that was purchasing network capacity from the company.
The data show that pages occasionally were altered by pop-up blockers within products such as CheckPoint's ZoneAlarm or CA's Personal Firewall, and some products inserted security vulnerabilities into the pages they processed.
The researchers said Microsoft's Internet Explorer browser also was part of the trouble. They said the browser injected HTML into pages it saved to the computer's hard drive, making those pages vulnerable to attacks when the page was reloaded from the disk.
The researchers' paper is considered a first step toward obtaining a clearer picture of what Internet networks are actually doing.
"One of the next steps for the community is to create better and stronger mechanisms for understanding what is happening," University of Washington Assistant Professor Tadayoshi Kohno told TechWorld. "The Web is still very young, and we just don't know what's going to happen next."
The paper was presented Wednesday at the Usenix Symposium on Networked Systems Design and Implementation in San Francisco.