Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTML5 Ads Aren't That Safe Compared To Flash, Experts Say (softpedia.com)

Posted by BeauHD on from the contrary-to-popular-belief dept.

An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.

4 of 108 comments (clear)

  1. HTML is still better than Flash by Anonymous Coward · · Score: 4, Insightful

    With HTML5 ads, the attack surface is the browser. With Flash, the attack surface is the browser plus the Flash plugin.

    1. Re:HTML is still better than Flash by Anonymous Coward · · Score: 2, Insightful

      Except that all the added features of HTML5 have expanded the attack surface of the browser. HTML5 is essentially just Flash that's harder to block, which you cannot uninstall, and which can run its JavaScript within the same context as the rest of the page. I see no progress.

  2. It's never been about the specific tech by FireballX301 · · Score: 4, Insightful

    A bad ad network is a bad ad network, whether they're sending out flash units, html5 units, or putting up billboards on a highway overpass. A middleman injecting malware doesn't care what the underlying tech is, they care about if the network vets their shit on delivery.

    Nobody with a brain thought HTML5 was 'more secure' than Flash in of itself.

  3. Re:yeah...yeah.. flash was safe... by hairyfeet · · Score: 2, Insightful

    Well lets see about that...you replaced one format that was 1.- Allowed to be installed anywhere, 2.- Was owned by a company that had no problem not only allowing it to be bundled with anything but ALSO allowed for FOSS alternatives, and 3.- Not only did video but animation and gaming.

    What did you get in return? A format that 1.- Had mandatory DRM baked in, 2.- Requires a codec that is not only owned by one of the biggest patent trolls around but is openly hostile to FOSS, 3.- MPEG-LA has made it clear they will sue FOSS companies which is why all work on supporting that format has to be done outside Berne convention countries. Oh and 4.- Doesn't support half the features of the supposedly "inferior" format its replacing, because certain corps don't want any competition with their walled garden appstores.

    Yeah you are better off...if you are Google, Apple, or MSFT...everybody else? Not so much.

    --
    ACs don't waste your time replying, your posts are never seen by me.