Malvertising remains a big draw for cybercriminals: Stuff Flash-based ads full of malicious code, dupe legitimate advertising networks into carrying the message then sit back and enjoy the deluge of user data. In an effort to stamp out this kind of slimy sales tactic, big companies such as Apple and Google are making the push for HTML5.
But there’s a problem. As noted by SecurityWeek, the hot new code won’t stop malicious ads — and could actually make things worse.
Hyped-Up Hypertext?
HTML5 is on the rise. As reported by eWEEK, Apple is phasing out plugins such as Flash, Java, Silverlight and even QuickTime in favor of HTML5 for Safari 10. Both Microsoft and Google are on the same page, with the former announcing that any Flash content that isn’t central to an active webpage will be paused in the Windows 10 Edge browser; likewise, the latter has plans to drop Flash in favor of HTML5 in Chrome by the end of the year.
While this push may streamline content delivery and help break the dependence on proprietary plugins, the promise of better security may be little more than a pipe dream. Taken at face value, the move to HTML5 makes sense: Hundreds of new vulnerabilities are discovered in Flash every year, compared to just a few in new HTML5 code.
The problem, however, doesn’t lie with HTML5 itself but the underlying ad experience, which depends on advertising standards such as VAST and VPAID. According to the Internet Advertising Bureau, “VPAID ads can provide rich ad experiences for viewers and collect ad playback and interaction details.”
Herein lies the problem — the ads themselves, rather than underlying code, are often the weakest link. Since JavaScript forms the basis of HTML5, adding malicious code isn’t much of a stretch. In fact, researchers just found a new ransomware strain known as RAA written entirely in JavaScript.
The Future of Malvertising and HTML5
It’s also possible that, for some companies, implementing HTML5 may result in even more malvertising and higher bandwidth costs. Since the new standard is assumed to offer better security, reduced web oversight could drive increased infection rates. The larger size of HTML5 ads could also mean higher spend by companies for employees simply browsing the web.
Other contributing factors? As noted by SC Magazine, the World Wide Web Consortium (W3C) is currently fighting over digital rights management (DRM) as applied to HTML5. If security researchers aren’t protected from attacks via copyright law, the result could be an open playing field for attackers hoping to perform successful HTML5 hacks.
There’s also some suggestion that HTML5 may be dated before full adoption occurs. An HTML6 with better media codec support and basic Python scripting could significantly improve web browsing.
Bottom line? Replacing Flash with HTML5 won’t prevent malvertising — attackers will happily hijack any ads they can. Real change has to come from ad suppliers rather than end-user software; no hypertext solution will lock out cybercriminals if advertisers leave the door wide open.