NewsJune 27, 2016 @ 8:26 AM

Flash or HTML5? Malvertising-Makers Will Happily Hijack Both

Malvertising remains a big draw for cybercriminals: Stuff Flash-based ads full of malicious code, dupe legitimate advertising networks into carrying the message then sit back and enjoy the deluge of user data. In an effort to stamp out this kind of slimy sales tactic, big companies such as Apple and Google are making the push for HTML5.

But there’s a problem. As noted by SecurityWeek, the hot new code won’t stop malicious ads — and could actually make things worse.

Hyped-Up Hypertext?

HTML5 is on the rise. As reported by eWEEK, Apple is phasing out plugins such as Flash, Java, Silverlight and even QuickTime in favor of HTML5 for Safari 10. Both Microsoft and Google are on the same page, with the former announcing that any Flash content that isn’t central to an active webpage will be paused in the Windows 10 Edge browser; likewise, the latter has plans to drop Flash in favor of HTML5 in Chrome by the end of the year.

While this push may streamline content delivery and help break the dependence on proprietary plugins, the promise of better security may be little more than a pipe dream. Taken at face value, the move to HTML5 makes sense: Hundreds of new vulnerabilities are discovered in Flash every year, compared to just a few in new HTML5 code.

The problem, however, doesn’t lie with HTML5 itself but the underlying ad experience, which depends on advertising standards such as VAST and VPAID. According to the Internet Advertising Bureau, “VPAID ads can provide rich ad experiences for viewers and collect ad playback and interaction details.”

Herein lies the problem — the ads themselves, rather than underlying code, are often the weakest link. Since JavaScript forms the basis of HTML5, adding malicious code isn’t much of a stretch. In fact, researchers just found a new ransomware strain known as RAA written entirely in JavaScript.

The Future of Malvertising and HTML5

It’s also possible that, for some companies, implementing HTML5 may result in even more malvertising and higher bandwidth costs. Since the new standard is assumed to offer better security, reduced web oversight could drive increased infection rates. The larger size of HTML5 ads could also mean higher spend by companies for employees simply browsing the web.

Other contributing factors? As noted by SC Magazine, the World Wide Web Consortium (W3C) is currently fighting over digital rights management (DRM) as applied to HTML5. If security researchers aren’t protected from attacks via copyright law, the result could be an open playing field for attackers hoping to perform successful HTML5 hacks.

There’s also some suggestion that HTML5 may be dated before full adoption occurs. An HTML6 with better media codec support and basic Python scripting could significantly improve web browsing.

Bottom line? Replacing Flash with HTML5 won’t prevent malvertising — attackers will happily hijack any ads they can. Real change has to come from ad suppliers rather than end-user software; no hypertext solution will lock out cybercriminals if advertisers leave the door wide open.

Share this Article:
Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for the IBM Midsize Insider, The Content Standard and Proteomics programs for Skyword, Doug also writes for companies like Ephricon Web Marketing and sites such as MSDynamicsWorld. Clients are impressed with not only his command of language but the minimal need for editing necessary in his pieces. His ability to create readable, relatable articles from diverse Web content is second to none. He has also written a weekly column for TORWars, a videogaming website; posts about invention and design for InventorSpot.com and general knowledge articles for WiseGeek. From 2010-2012, Doug did copywriting for eCopywriters.com. Doug is currently a municipal police officer, on track to become a fantasy/sci-fi author.