As someone who worked on/with the ad serving stack, I agree with FireEye's stance on this one.
The problem is this: ads are basically browser-injection-as-a-service, as in injecting code into websites of your choice, targeting audiences of your choice. Browsers mitigate this problem somewhat by sandboxing cross-site stuff in the webpage, and ad networks theoretically scan the payloads for malware like miners, but those tests aren't hard to work around. So ads can basically run whatever they want within the little aperture of an iframe that they get.
If there's a zero-day like the Internet Explorer JPEG renderer zero-day (https://www.kb.cert.org/vuls/id/965206), then the ad networks are basically broadly targeted zero-day-as-a-service.
Ad blockers aren't a bad first line of defense for this.
The problem is this: ads are basically browser-injection-as-a-service, as in injecting code into websites of your choice, targeting audiences of your choice. Browsers mitigate this problem somewhat by sandboxing cross-site stuff in the webpage, and ad networks theoretically scan the payloads for malware like miners, but those tests aren't hard to work around. So ads can basically run whatever they want within the little aperture of an iframe that they get.
If there's a zero-day like the Internet Explorer JPEG renderer zero-day (https://www.kb.cert.org/vuls/id/965206), then the ad networks are basically broadly targeted zero-day-as-a-service.
Ad blockers aren't a bad first line of defense for this.