html5 HTML5 Won't Stop Malvertising, Brings New Threats

[Batu69]

Flash is one of the most abused pieces of software in use. Flexera Software's Vulnerability Review 2016 counts 457 vulnerabilities in 2014 and 2015 (second only to Chrome with 516 vulnerabilities). But Flash is the attacker's tool of choice. For example, as recently as late May 2016 Malwarebytes reported on a malvertising campaign exploiting Flash and redirecting users to the Angler exploit kit.

 

Such abuse is behind current browser campaigns to deprecate the use of Flash while browsing. In April 2016 Microsoft announced  that Flash content not central to the page itself (such as games) would be automatically paused in Windows 10 (Edge browser). The intent is to spur the adoption of HTML5 for animated content. In May 2016 Google announced that it would deprecate Flash and promote HTML5 within Chrome by the end of this year.

 

Such actions are likely to fuel a move from Flash to HTML5 for the display of web-delivered advertising. This, however, will have little effect on preventing malvertising. 

 

A recent report from GeoEdge, an ad scanning vendor, compares the two options. This report suggests that there are technical advantages and disadvantages in both. For example, Flash can provide better clarity with its sub-pixel support, but doesn't automatically scale to the window size as does HTML5. Flash requires greater processing power, but HTML5 adverts come in at a larger size (approximately 100kb bigger).

 

In terms of general security, new security vulnerabilities are regularly discovered in Flash, something that is not the case with HTML5. Nevertheless, GeoEdge makes it very clear that HTML5 will not prevent malvertising. This has nothing to do with HTML5 per se, but is down to the nature of the adverts themselves.

 

The primary root of malvertising lies with the advertising standards (VAST and VPAID) developed in 2012. As the Internet Advertising Bureau wrote at the time, "The significance is that advertisers using VPAID ads can provide rich ad experiences for viewers and collect ad playback and interaction details that are just as rich as the ad experience."

 

This ability for interaction between the user and the advertiser applies to both Flash and HTML5 adverts. "Since these standards allow advertisers to receive data about the user," writes GeoEdge, "they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code." Since, says the report, JavaScript is the base language for HTML5, "malicious code can be packaged in HTLM5 without much difficulty."

 

Within the last few days, researchers have discovered a ransomware strain, called RAA, entirely written in JavaScript. In theory, a future HTML5 malvertising campaign would be able to deliver ransomware directly to the user via HTML5. "JavaScript is a general purpose programming language," comments Simon Crosby, CTO at Bromium. "Once one hacker has figured out how to use it to write crypto-malware, any other hacker can simply read the source code and use it elsewhere. So I expect to see rapid re-use and many variants of this attack." The only way to prevent such breaches, he suggests, "is to use an endpoint isolation technology like micro-virtualization that hardware isolates each tab of the browser from the OS - so that crypto-malware cannot impact the endpoint."

 

But there is no easy third-party solution to the malvertizing problem. Changing to HTML5 doesn't help, and could make things worse. The only solution, suggests F-Secure, is for the ad industry itself to take responsibility. "Ad serving platforms should implement better security measures themselves," F-Secure's Andrew Patel told SecurityWeek. "Incoming ads should be vetted before they are served to the greater community. This can be achieved by passing them through solutions that catch malware and exploit kits. Even if this requires a sandbox approach, it is completely doable."

 

But there is yet another issue to consider. A 2015 study by the Simon Fraser University on the use of AdBlock Plus suggested blocking animated adverts can provide a 25% reduction in bytes downloaded. Where companies allow staff browsing on the corporate network, this can result in a considerable non-business bandwidth cost. However, this cost will only increase with a switch to larger HTML5 adverts.

 

Article source

[humble3d]

We were concerned about this, too...

 

No safe place ?

[vissha]

HTML5 Ads Aren't That Safe Compared to Flash, Experts Say

 

 

The real problems are the ad networks and JavaScript

 

Quote

A study from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves.

 

The evidence exists to proclaim Flash as one of today's most vulnerable and insecure software applications. Targeted in cyber-espionage and malvertising campaigns, Flash has gotten a bad reputation, and for a good reason.

 

HTML5 ads are replacing Flash ads in the industry

 

Security researchers have discovered vulnerabilities in Flash almost every month, and for many years, Adobe has been slow to patch them. Things changed recently after browser vendors threatened to have the plugin disabled for most of their users.

 

But Adobe's new approach to Flash security issues came a little too late, as the community had already worked for years at adding the appropriate features to HTML5 and other standards in order to replace Adobe's piece of junk.

 

HTML5 was officially released in October 2014, and slowly but surely, started to replace Flash in the advertising market, where many ad networks such as Google and Amazon have announced they'll stop taking static Flash ads, even if still allowing Flash for video ads.

 

Malvertisers don't care if ad is Flash or HTML5

 

According to the GeoEdge study, attacks using malicious ads, known as malvertising, do not necessarily rely on the underlying ad, but more on the insecure standards used to build the advertising network's infrastructure, regardless if they deliver static or video ads.

 

The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser.

 

Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users.

 

If you want to blame a technology, blame JavaScript

 

A malicious ad creator can use his ability to send third-party JavaScript to the ad via AdParameter values. Instead of user tracking code or ad delivery instructions, he can very easily deliver malicious code instead. At no point does it matter to him if the ad was created in Flash or HTML5.

 

Of course, there's a discussion if HTML5 is actually an improvement over Flash. While Flash has better image quality rendering, HTML5 ads are usually larger in size. While Flash ads require a plugin to work, HTML5 ads don't work in older browsers. While Flash ads can be easily optimized, HTML5 ads are easier to create and work on mobile devices by default. In terms of security, HTML5 is the clear cut winner, but currently, Flash ads are still a solid alternative.

 

"There are some advantages to Flash-based ads. However, in terms of security, HTML5 is the more secure option," says GeoEdge. "The main root of the video ad malvertising problem is, unfortunately, fundamental."

 

While GeoEdge's report only tackled video ads, the same thing goes for static ads, regardless if they're created in Flash or HTML5. The real problem is the design of some advertising networks that allow advertisers to deliver custom JavaScript. Be it an image, a Flash object, or anything else, the real exploitation point in malvertising attacks is not the ad, but the adjacent code.

 

 

Source

[DKT27]

Threads merged.

 

Both are quite useful articles I think.