Slashdot Mirror
HTML5 Ads Aren't That Safe Compared To Flash, Experts Say (softpedia.com)
An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.
There was once a time where Javascript vulnerabilities far exceeded Flash - it's just that Adobe's given up while other browser vendors have tried like hell to improve their DOM/Javascript engines, so it became simpler to target Flash. As Flash dies off, exploiters will move back to focussing on Javascript.
At least it was easy to simply disable Flash except on click.
Javascript is disabled by default.
Why can't we just do GIF ads and leave it at that? No javascript kind.
...but we are better without it :)
...VAST and VAPID are the rules of the game....
There, FTFY.
-- You are in a maze of little, twisty passages, all different... --
When people bitched and moaned about ordinary banner ads and started blocking them, advertisers started making ads more intrusive. We could still have simple animated GIF ads except that you freeloaders started blocking them to begin with. Those ads were harmless but, thanks to all of you who had to go and block those ads, we're now stuck with malware and far more intrusive advertising. Thanks a lot for ruining the internet for everyone.
B.S.
http://abcnews.go.com/Business...
http://www.foxnews.com/story/2...
X10 Pop Under ads ring a bell ?
And what do you know the fist example of Malvertising is Flash
https://en.wikipedia.org/wiki/...
With HTML5 ads, the attack surface is the browser. With Flash, the attack surface is the browser plus the Flash plugin.
Use them. There is literally no reason not to.
Time and again we have seen that ads are used to inject malware.
Why even take the risk?
I'd rather fuck a stranger without a condom than browse without noscript and adblock.
A bad ad network is a bad ad network, whether they're sending out flash units, html5 units, or putting up billboards on a highway overpass. A middleman injecting malware doesn't care what the underlying tech is, they care about if the network vets their shit on delivery.
Nobody with a brain thought HTML5 was 'more secure' than Flash in of itself.
If anyone is to blame, I think it would be Mozilla for making Firefox irrelevant by trying to imitate Chrome, even when Firefox's users said very emphatically that they didn't want that.
Firefox used to have over 30% of the market. Now the latest market share stats show that Firefox is down to maybe 7% across all versions on the desktop, with essentially no mobile presence at all.
When Firefox had 30% of the market, it was a force to be reckoned with! It held real sway over how the web developed. But then it's like the Firefox developers decided to throw it all away, for no good reason at all. I think that they trashed Firefox's UI, they added unwanted crap like Pocket and Hello. They even embedded ads into Firefox! Now Firefox is down to just 7% of the market, and this number is dropping. Nobody cares about a browser with only 7% of the market.
And don't waste your time trying to blame Firefox's decline in market share on Google advertising Chrome, or mobile becoming more widely used than desktop browsers (which isn't actually the case), or any other bullshit excuse like that. It was the numerous unwanted changes that Firefox's developers made that drove a large mass of Firefox users away.
Firefox users were faced with a really bad set of choices: either they could use Firefox and get a slow, bloated Chrome-like experience, or they could use Chrome and at least get a fast, lightweight experience. So they did the only sensible thing and used Chrome, even if they hated it. At least it wasn't as bad as the alternatives!
I think that the web would have been very different if Firefox had been developed sensibly, instead of what actually happened to it. Chrome would probably be much less used, and we'd see a more open and less commercialized web. Mozilla could have turned Firefox into a champion of privacy and an ad-free web. Instead all we ended up with was a shitty imitation of Chrome that has no influence at all on the web.
They didn't block 'ordinary banner ads', they blocked pop-ups. Your troll-fu is weak.
"I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
Who among us in the inter-webs or you-tubes (yeah.. slang) ... you know who you are.. thinks that there is any vector, avenue or north-star-ip-address that the abomination called advertising/malvertising/malware/state-sponsored attacks cares about our own personal computer security? No new protocol/process/add-in or anything ratified by the IETF isn't immediately subjected to the violent will of those people/agencies/acting-countries that don't care about you but only care about the end-result being their profits?
Don't get me wrong... Adobe Flash is the bane of my IT role but it was just another in a long series of attack profiles that I have to defend against. The list won't end.. the patches won't end because the actors that can profit from an exploit are like prisoners in a prison. They have time.. lots of time...
Peace out.
They are arguing that they will still be relevant, when the vast majority of their usefulness evaporates.
(If at first you don't succeed, do it different next time!)
When banner ads were a thing many people were still on dial-up. They WERE intrusive, at the time. Attempt to troll harder.
Derp. The "real" problem with Flash is its use as a vector for installing malware via buffer overflow (usually) attacks. Those are distributed via ad networks.
Javascript injection is a separate issue, and there are other Flash privacy concerns, but that's not why people are screaming from the hills that Flash must be exterminated.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Not that long ago, firefox allowed the user to tick a box and disable javascript, which protects the user from almost all exploits. Very easy to use.
Then the mozilla people decided this was a bad idea and removed the option entirely.
You now have to download, trust & configure a third-party plugin to block javascript.
Maybe they will rethink their decision.
It's the fucking feeble ass OS that doesn't isolate these processes! How is this even possible??! After all these years and I can still lock up my entire system (Slackware, no less!) with a damn media player! Fuck! And the boot up times, and multi-gigabyte software drivers? This is positively moronic. It's a trip back to the 50s, waiting for the machine to warm up.
Java and javascript have nothing to do with one another, and this has nothing at all to do with java.
Nothing says "biased towards Adobe products" more than that.
How did Slashdot get sucked into accepting this Softpedia click-bait crap? The Softpedia only references a single report as being "experts." It is bad enough that they have a single source for the article, it is even worse that the single source's report contradict their claims.
GeoEdge report:
"Security: Flash vulnerabilities allow for malicious software to install on a user’s computer silently.
Currently, HTML5 has no vulnerability that would allow malicious software to install on a user’s computer silently. HTML5 alerts the user whenever an install
attempt is made."
"... in terms of security, HTML5 is the more secure option."
In terms of the "myth" that just eliminating Flash could fix malvertising, I doubt anyone really believe this. Clearly malvertising will continue to mature to target new vulnerability vectors whenever possible. The real issue is Adobe has a history of being unresponsive while browser related security issues get addressed much more quickly.
is that Adobe doesn't put enough $$$ behind security. It's not any easier for Google/Mozilla/Microsoft to do this but Google/Mozilla are open source and Microsoft has deep pockets and juicy gov't & corporate contracts as the incentive to spend money on security.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Duh
Seriously? The moment you mention JS it is STILL the malvertising that is the issue.
And yes, flash is just another vector, albeit once the MAIN one now just a distant one for most.
Advertising operates on the business model which works by reducing everything to zero. That is, zero ethics implied.
I'm not that impressed with this company's knowledge of security compared to people who actually know what they are talking about.
... Advertising industry, who are the only people who have both the power and the self-interest to squash malvertising, but they won't.
GeoEdge is in the business of providing technical solutions to social problems. This rarely works, especially since malvertising of all sorts is so damn _profitable_. HTML5 is just another vector.
Trying to solve the social problem, say by hiring some out-of-work South American hit squads to take out the worst actors, probably won't work, because they will be quickly replaced.
No, find the loudest and most visible heads of the "legitimate" Ad Agencies, and make an example out of them, in public. Tar and feathers are a good start. Put a few lamp posts to good use while we're at it.
Note that as long as wasted bandwidth and pay-per-Gigabyte are so profitable, don't expect the ISPs and Utilities to be of much help, so go after those bastards as well.
Enlightened Self Interest just might encourage the Advertisers to clean up their worst actors, before the Internet Advertising business, which is only a couple of decades old, gets to be too big to fail,, and Governments step in.
How many technologies have died in large part due to security issues? VB and VB Scripting, ActiveX, Silverlight, Flash, Java, Browser plugins: the list goes on.
So when is JavaScript going to be tossed?
It's frustrating for so many client end technologies to be tossed partly due to the security issues they brought.
In a way, I actually miss the days when most applications were written using VB or MFC style interfaces, and GUI widgets were being developed and released by the hundreds.
And the reason these exploits happen? jQuery and .exec()
And good ol' document.write/document.writeln
There needs to be a way, either from the browser end or from the HTML writers end to say "don't trust code loaded in this script block" where exec(), document.write, innerHTML and various other javascript hacks like s+cript inside document.write to prevent chaining scripts in the first place.
I had no idea the advertisers were so willing to so accurately describe their efforts. It's such a delightful misread that I'm starting to wonder if they were created with intent.
You should turn signatures off.
I don't believe the absurdity of this article, and this research paper! It's claims read as if contrived and there are no references to support them. Moreover GeoEdge then offers their own product as a solution to these claims.
Truth is you are not safe from malicious advertising regardless the vector, flash, Javascript or plain text email.
A. You can't rebuild the browser as it is because HTML5 supports DRM now and the source code is not available.
B. Rebuilding the browser is the dumbest possible thing to do, get a HTML5 video blocking plug-in for your browser.
Turn in your geek card.
Come on /. This is a shitty headline for a bullshit story. WHAT EXPERTS?! Certainly not security ones.
Sometimes I don't even know why I bother to check /. anymore with rubbish like this.
What happened to you? You used to be cool (and had a clue).
Time for an ad-intrusion rating system, somewhat like movie ratings. A site and/or ads that want to be rated would pay to be audited and rated. Browsers would have to option of skipping sites with poor ratings and/or shutting off images, JS, etc.
Because sites would risk losing traffic if they have poorly-rated ads, they'd have an incentive to pay for being rated and monitored.
It would probably take a mutual agreement among at least a few big tech companies to get enough momentum to take hold.
Table-ized A.I.
Why would anyone with even a modicum of technical sophistication allow random JavaScript from domains they don't trust to run in their browser? It's crazy not to use plugins like NoScript and Request Policy to control what is allowed to run in the browser. Combine with AdBlock Plus for better results.
Fuck you, troll.
As long as my uBlock Origin is keeping that unwanted garbage off of my screen, I honestly don't care what format or delivery mechanism failed to pollute my browsing experience.
We could still have simple animated GIF ads except that you freeloaders started blocking them to begin with. Those ads were harmless.
If there's one thing I always hated, was this rapidly blinking animated GIF ads. I blocked them not because of being a free-loader, but because harmed me. Not literally, but many were so obnoxious that I would feel infuriated by the experience. If that's what they put me through... they can go screw themselves.
Can adblock+ do 16 things hosts do 4 speed, security & reliability:
1.) Protect vs. malicious sites (past ads)
2.) Protect vs. fastflux botnet C&C servers
3.) Protect vs. dynamic dns botnet C&C servers
4.) Protect vs. DGA botnet C&C servers
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS redirect poisoned/downed dns
7.) Protect vs. trackers
8.) Protect vs. spam payloads
9.) Protect vs. phish payloads
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up 2 ways (adblocks & hardcodes)
14.) Work on anything webbound multiplatform.
15.) Ez data edit
16.) Block ads more efficiently in cpu/ram/I-O us
* ANSWER ="NO" on ab+ or @ ALL
APK
P.S.=> Ab+ does less vs. hosts less efficiently (a 128-151mb memory hog http://cdn.ghacks.net/wp-conte...) - ClarityRay defeats it Ab+'s bribed not to work by default http://www.businessinsider.com... AdBlock's SLOWER: http://superuser.com/questions...
Using your logic, TV ads are where they are today because millions of us walk out of the room when they're on, fucking moron.
use an ad-blocker.
Keep insulting him, that will change the game theory.
This article is pure, unadulterated bullshit. Probably the only truly honest thing in there is their admission that they have services available. It is not a "study" in any reputable sense of the word, and Softpedia is basically lying to you by calling it that. Softpedia is also very blatantly conflating vulnerabilities with mere attack vectors.
Let me highlight for you the most glaring example of "using a lot of words to lie" that are in the "study" they're linking to... Starting right in the middle of page two they try to compare and contrast a malvertising attack that uses flash as a vector and one that uses HTML5. Unfortunately for them, their HTML5 example is not only fairly nebulous but they cite a redirection to the Angler Exploit kit as if this really meant anything more than an attempt at compromise. One might then ask... what mechanisms does the Angler Exploit Kit use to compromise the system running the browser? Well... That's primarily exploiting vulnerabilities in Flash. This sort of logical shortcoming means one of two things... Either the author is too ignorant to speak authoritatively on the matter or they're just lying. Take your pick.
get back on your fucking meds.
"APK's days are numbered." - Whipslash, many months ago. Then what happened?
Either write like an almost normal person or STFU, APK. I'm sick of having to waste extra brain cycles parsing though your unnecessarily arcane (and how long does it take you to format that?) crap to find out it's just your latest regurgitation of the same old obsessions.
I'm glad you (at least think) you know what your'e talking about.
But this fucking act is REALY BORING now.
Yours,
Been In the HW/SW Industry Since 1969, posting AC because if my industry knew what I thought I'd never get hired again.
The Goatse and Rickroll fads relied on social engineering a user to visit an unintended site. If "not visiting the site(s)" were practical for a non-technical user to accomplish, then those fads would never have happened.
what about noscript? https://noscript.net/
umatrix? https://github.com/gorhill/uMa...
See subject: If you can't determine meanings of words in the context in which they're used in sentences you have the problem.
APK
P.S.=> I don't give a hoot how LONG you've been in software ALLEGEDLY - if you can't read you're no damn good (except in YOUR OWN MIND) & I don't see any software from "anonymous coward" that doesn't identify himself... apk
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.
Ads rob bandwidth/speed, security (malvertising), privacy (tracking) + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively. Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Works vs. caps & HTTP PUSH ads w/ firewalls.
Avg. webpage = big as Doom http://www.theregister.co.uk/2... & ads = 40% of the size.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... )
UBlock can't do these as well as (or @ all) hosts do 4 speed, security, & reliability:
1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnet C&C's
3.) Protect vs. dyndns botnet C&C's
4.) Protect vs. DGA botnet C&C's
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS poisoned dns
7.) Protect vs. trackers
8.) Protect vs. spam payloads
9.) Protect vs. phish payloads
10.) Protect vs. caps
11.) Get past dns blocks
12.) Keep off dns request logs
13.) Speed up 2 ways (adblocks/hardcodes)
14.) Work on anything webbound multiplatform.
15.) Ez data edit
16.) Block ads more efficiently in cpu/ram/I-O use
17.) UBlock now uses hosts (no DNS benefits vs. dns issues) - poor imitation = "sincerest form of flattery"
Hosts = native vs. illogically "Bolting on 'MoAr'" & not ClarityRay blockable like addons.
APK
P.S.=> Hosts (1st resolver) do MORE w/ less in fast kernelmode & before slow usermode addons
Hosts ~3mb vs. UBlock = 64MB -> http://cdn.ghacks.net/wp-conte...
APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.
Ads rob bandwidth/speed, security (malvertising), privacy (tracking) + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively. Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Works vs. caps & HTTP PUSH ads w/ firewalls.
Avg. webpage = big as Doom http://www.theregister.co.uk/2... & ads = 40% of the size.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... )
Flash ads were not replaced by HTML5 ads because of security concerns ...
Yep, I remember those annoying blinking ads, scrolling status bar messages, sparkling cursors, dancing 7up dots...
Remember Flash-only sites? "To view this site, download Flash player." How about NO?
"Skip Intro"... remember THAT?