The linked article talks about misleading ads that let people download malicious apks. This is no different than scam emails with malicious .exes, or "please reset your WhatsApp password here" messages, ...etc. In other words, it doesn't demonstrate why web ads are any more susceptible to being malware vectors when compared to email, messaging apps, or social media (basically anything with user-generated/third-party content that allows text).
Which is why it feels unfair to me to single out Zoom's addition of ads to their free tier for being a malware vector.
> Don't many other companies (Google, Facebook, etc) manage to do that without becoming vectors for malware?
This all depends on targeting (as an HN user you're unlikely to be targeted by them as there are higher-value ads that match your profile) but at the bottom of the targeting barrel there are absolutely ads for scams and/or malware.
I think it is a bit different when it will be seen by employees as a part of internal tooling. After the meeting they see a banner "Important points from the presentation" or "The mandatory new tool to fight malware." or even "2021-11-sales.xls" and I guarantee people will click on it. Of course you can blame it on companies saving money for more or less sensible reasons by not paying for their tools and on uneducated employees, but it will happen.
Hmm. If you trust users to discern between malicious and non-malicious emails (that can contain things like "the mandatory new tool to fight malware" as you say), I think that implies you trust users to discern between malicious ads and non-malicious ads.
And I don't see any reason that the spam/malicious-content filtering tools used to filter email would not be used to filter ads (with appropriate modifications of course).
So this leaves me unconvinced that Zoom web ads are any more susceptible to being malware vectors as compared to ads anywhere else (or other tools that host user-generated/third party text, like email, messaging, and social media).
It is an ad on a page in the browser. Don't many other companies (Google, Facebook, etc) manage to do that without becoming vectors for malware?