June 27, 2016 By Douglas Bonderud 2 min read

Malvertising remains a big draw for cybercriminals: Stuff Flash-based ads full of malicious code, dupe legitimate advertising networks into carrying the message then sit back and enjoy the deluge of user data. In an effort to stamp out this kind of slimy sales tactic, big companies such as Apple and Google are making the push for HTML5.

But there’s a problem. As noted by SecurityWeek, the hot new code won’t stop malicious ads — and could actually make things worse.

Hyped-Up Hypertext?

HTML5 is on the rise. As reported by eWEEK, Apple is phasing out plugins such as Flash, Java, Silverlight and even QuickTime in favor of HTML5 for Safari 10. Both Microsoft and Google are on the same page, with the former announcing that any Flash content that isn’t central to an active webpage will be paused in the Windows 10 Edge browser; likewise, the latter has plans to drop Flash in favor of HTML5 in Chrome by the end of the year.

While this push may streamline content delivery and help break the dependence on proprietary plugins, the promise of better security may be little more than a pipe dream. Taken at face value, the move to HTML5 makes sense: Hundreds of new vulnerabilities are discovered in Flash every year, compared to just a few in new HTML5 code.

The problem, however, doesn’t lie with HTML5 itself but the underlying ad experience, which depends on advertising standards such as VAST and VPAID. According to the Internet Advertising Bureau, “VPAID ads can provide rich ad experiences for viewers and collect ad playback and interaction details.”

Herein lies the problem — the ads themselves, rather than underlying code, are often the weakest link. Since JavaScript forms the basis of HTML5, adding malicious code isn’t much of a stretch. In fact, researchers just found a new ransomware strain known as RAA written entirely in JavaScript.

The Future of Malvertising and HTML5

It’s also possible that, for some companies, implementing HTML5 may result in even more malvertising and higher bandwidth costs. Since the new standard is assumed to offer better security, reduced web oversight could drive increased infection rates. The larger size of HTML5 ads could also mean higher spend by companies for employees simply browsing the web.

Other contributing factors? As noted by SC Magazine, the World Wide Web Consortium (W3C) is currently fighting over digital rights management (DRM) as applied to HTML5. If security researchers aren’t protected from attacks via copyright law, the result could be an open playing field for attackers hoping to perform successful HTML5 hacks.

There’s also some suggestion that HTML5 may be dated before full adoption occurs. An HTML6 with better media codec support and basic Python scripting could significantly improve web browsing.

Bottom line? Replacing Flash with HTML5 won’t prevent malvertising — attackers will happily hijack any ads they can. Real change has to come from ad suppliers rather than end-user software; no hypertext solution will lock out cybercriminals if advertisers leave the door wide open.

More from

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

ICS CERT predictions for 2024: What you need to know

4 min read - As we work through the first quarter of 2024, various sectors are continuously adapting to increasingly complex cybersecurity threats. Sectors like healthcare, finance, energy and transportation are all regularly widening their digital infrastructure, resulting in larger attack surfaces and greater risk exposure.Kaspersky just released their ICS CERT Predictions for this year, outlining the key cybersecurity challenges industrial enterprises will face in the year ahead. The forecasts emphasize the persistent nature of ransomware threats, the increasing prevalence of cosmopolitical hacktivism, insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today