June 27, 2016 By Douglas Bonderud 2 min read

Malvertising remains a big draw for cybercriminals: Stuff Flash-based ads full of malicious code, dupe legitimate advertising networks into carrying the message then sit back and enjoy the deluge of user data. In an effort to stamp out this kind of slimy sales tactic, big companies such as Apple and Google are making the push for HTML5.

But there’s a problem. As noted by SecurityWeek, the hot new code won’t stop malicious ads — and could actually make things worse.

Hyped-Up Hypertext?

HTML5 is on the rise. As reported by eWEEK, Apple is phasing out plugins such as Flash, Java, Silverlight and even QuickTime in favor of HTML5 for Safari 10. Both Microsoft and Google are on the same page, with the former announcing that any Flash content that isn’t central to an active webpage will be paused in the Windows 10 Edge browser; likewise, the latter has plans to drop Flash in favor of HTML5 in Chrome by the end of the year.

While this push may streamline content delivery and help break the dependence on proprietary plugins, the promise of better security may be little more than a pipe dream. Taken at face value, the move to HTML5 makes sense: Hundreds of new vulnerabilities are discovered in Flash every year, compared to just a few in new HTML5 code.

The problem, however, doesn’t lie with HTML5 itself but the underlying ad experience, which depends on advertising standards such as VAST and VPAID. According to the Internet Advertising Bureau, “VPAID ads can provide rich ad experiences for viewers and collect ad playback and interaction details.”

Herein lies the problem — the ads themselves, rather than underlying code, are often the weakest link. Since JavaScript forms the basis of HTML5, adding malicious code isn’t much of a stretch. In fact, researchers just found a new ransomware strain known as RAA written entirely in JavaScript.

The Future of Malvertising and HTML5

It’s also possible that, for some companies, implementing HTML5 may result in even more malvertising and higher bandwidth costs. Since the new standard is assumed to offer better security, reduced web oversight could drive increased infection rates. The larger size of HTML5 ads could also mean higher spend by companies for employees simply browsing the web.

Other contributing factors? As noted by SC Magazine, the World Wide Web Consortium (W3C) is currently fighting over digital rights management (DRM) as applied to HTML5. If security researchers aren’t protected from attacks via copyright law, the result could be an open playing field for attackers hoping to perform successful HTML5 hacks.

There’s also some suggestion that HTML5 may be dated before full adoption occurs. An HTML6 with better media codec support and basic Python scripting could significantly improve web browsing.

Bottom line? Replacing Flash with HTML5 won’t prevent malvertising — attackers will happily hijack any ads they can. Real change has to come from ad suppliers rather than end-user software; no hypertext solution will lock out cybercriminals if advertisers leave the door wide open.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today