Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTML5 Ads Aren't That Safe Compared To Flash, Experts Say (softpedia.com)

Posted by BeauHD on from the contrary-to-popular-belief dept.

An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.

53 of 108 comments (clear)

  1. yeah...yeah.. flash was safe... by martiniturbide · · Score: 1

    ...but we are better without it :)

    1. Re:yeah...yeah.. flash was safe... by hairyfeet · · Score: 2, Insightful

      Well lets see about that...you replaced one format that was 1.- Allowed to be installed anywhere, 2.- Was owned by a company that had no problem not only allowing it to be bundled with anything but ALSO allowed for FOSS alternatives, and 3.- Not only did video but animation and gaming.

      What did you get in return? A format that 1.- Had mandatory DRM baked in, 2.- Requires a codec that is not only owned by one of the biggest patent trolls around but is openly hostile to FOSS, 3.- MPEG-LA has made it clear they will sue FOSS companies which is why all work on supporting that format has to be done outside Berne convention countries. Oh and 4.- Doesn't support half the features of the supposedly "inferior" format its replacing, because certain corps don't want any competition with their walled garden appstores.

      Yeah you are better off...if you are Google, Apple, or MSFT...everybody else? Not so much.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    2. Re:yeah...yeah.. flash was safe... by tepples · · Score: 2

      Assuming that you're referring to replacement of SWF wtih HTML5:

      you replaced one format that [...] Was owned by a company that had no problem not only allowing it to be bundled with anything but ALSO allowed for FOSS alternatives

      Initially, Adobe's SWF spec was licensed under terms that specifically forbade its use to create third-party players. Adobe didn't drop that provision until the Open Screen Project in the second quarter of 2008.

      [Flash does] Not only did video but animation and gaming.

      HTML5 also does gaming. See Cookie Clicker and Pirates Love Daisies, for example.

      [HTML5 video] Had mandatory DRM baked in

      It's not mandatory. A web browser publisher can just choose not to support Netflix and Amazon video.

      [HTML5 video] Requires a codec that is not only owned by one of the biggest patent trolls around but is openly hostile to FOSS

      Where does the HTML5 spec require use of MPEG-4 codecs? Last time I checked, WebM (Matroska container, VP8 or VP9 video codec, and Vorbis or Opus audio codec) was also acceptable, and only pack-in browsers on proprietary operating systems (IE and Safari) fail to support WebM out of the box. Even Microsoft Edge will get WebM support come Windows 10 Anniversary Update. Besides, SWF also used H.263 and H.264.

      MPEG-LA has made it clear they will sue FOSS companies which is why all work on supporting that format has to be done outside Berne convention countries

      MPEG-LA licenses patents, not copyrights. The Berne Convention refers to copyrights, not patents. It looks like you've been bitten by the false equivalence of intellectual property.

      Doesn't support half the features of the supposedly "inferior" format its replacing

      Could you list some SWF features that aren't supported in HTML5 and can't easily be polyfilled? Because if there were, it wouldn't be possible to build Shumway, a polyfill for SWF itself.

  2. Re:you brought this on yourselves by Crashmarik · · Score: 4, Informative

    When people bitched and moaned about ordinary banner ads and started blocking them, advertisers started making ads more intrusive. We could still have simple animated GIF ads except that you freeloaders started blocking them to begin with. Those ads were harmless but, thanks to all of you who had to go and block those ads, we're now stuck with malware and far more intrusive advertising. Thanks a lot for ruining the internet for everyone.

    B.S.

    http://abcnews.go.com/Business...
    http://www.foxnews.com/story/2...

    X10 Pop Under ads ring a bell ?
    And what do you know the fist example of Malvertising is Flash
    https://en.wikipedia.org/wiki/...

  3. HTML is still better than Flash by Anonymous Coward · · Score: 4, Insightful

    With HTML5 ads, the attack surface is the browser. With Flash, the attack surface is the browser plus the Flash plugin.

    1. Re:HTML is still better than Flash by Anonymous Coward · · Score: 3, Informative

      But I can just not install flash. What's the best way to get rid of html5 video?

    2. Re: HTML is still better than Flash by Short+Circuit · · Score: 5, Informative

      You could build the browser without video support. Actually trivial to do on Gentoo...

      Gentoo. Not just for ricers.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
    3. Re:HTML is still better than Flash by tlhIngan · · Score: 1

      Not to memtion, if there's bad javascript from a domain, block it! Your web browser doesn't HAVE to run every piece of javascript out there - NoScript and the like prove that.

      So the ad networks javascript is never run, period. Even better, it can be substituted/

      Flash ads? They run any damn thing from anywhere, bypassing any restrictions your browser may impose. That's why the only good option is to block the entire thing.

      Eventually, they'll learn to not use javascript for ads, and to serve it up directly. Seems like a better world already.

      End result, user is in control. It's just like HTML video. Back when it was flash video, and they autoplayed, you got annoyed and installed ClickToFlash because you didn't want to run the crap automatically. Browsers with HTML5 video now have options to disable autoplay automatically. That's a lovely thing - people abuse something, and the feature gets disabled under the user's control. Heck, it's nice that the videos can preload in the background without autoplaying.

    4. Re:HTML is still better than Flash by Anonymous Coward · · Score: 1

      With flash the attack surface was the html renderer ,the javascript VM with limited features needed to run most sites and flash. The last could be disabled without issue.

      With html 5 the attack surface is the html renderer , the javascript VM and every API added to it in order to replace flash. The last cannot be disabled without breaking most websites.

      So at least for me the attack surface grew enormously.

    5. Re:HTML is still better than Flash by Anonymous Coward · · Score: 2, Insightful

      Except that all the added features of HTML5 have expanded the attack surface of the browser. HTML5 is essentially just Flash that's harder to block, which you cannot uninstall, and which can run its JavaScript within the same context as the rest of the page. I see no progress.

    6. Re:HTML is still better than Flash by nmb3000 · · Score: 1

      But I can just not install flash. What's the best way to get rid of html5 video?

      A reasonable approach is an ad-blocker to outright block the most obvious and egregious crap, and enabling Click to Play on the rest.

      In Firefox you can set media.autoplay.enabled to false, which will disable auto-playing videos. Some sites (including YouTube) act a little wonky and require two or three clicks (the first is interpreted as "Pause" since it assumes the video is already playing). Even with this I've found it to be a lot nicer with fewer auto-play videos, especially on news websites which seem to think they need an auto-play video to go with every 10-sentence article.

      --
      "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
      /)
    7. Re:HTML is still better than Flash by antdude · · Score: 1

      And that is why I still prefer to use Flash for its videos so I can block them. How are we supposed to block HTML5 videos like plugin blockers? :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    8. Re:HTML is still better than Flash by knorthern+knight · · Score: 1

      > In Firefox you can set media.autoplay.enabled to false, which will disable auto-playing videos.

      I use Pale Moon, a Firefox fork. I find that I need to set 2 values

      media.autoplay.allowscripted false
      media.autoplay.enabled false

      The first one stops scripted HTML5 videos. This allows me to run with Javascript on, but still no HTML5 autoplaying ads.

      > Some sites (including YouTube) act a little wonky and require two or three clicks
      > (the first is interpreted as "Pause" since it assumes the video is already playing).

      I get that behaviour too.

      --

      I'm not repeating myself
      I'm an X window user; I'm an ex-Windows user
    9. Re:HTML is still better than Flash by allo · · Score: 1

      disable media autoplay in about:config.

  4. Re: Why can't we... by NotInHere · · Score: 2

    Its possible to block js based ads as well, and blocking works really well, just look at the ad blocking extensions.

    No, the actual reason for js was that it allows the advertisers to run their own analytics on the users. They can find out what site they browse, etc.

  5. Ad blockers by Anonymous Coward · · Score: 3, Informative

    Use them. There is literally no reason not to.
    Time and again we have seen that ads are used to inject malware.
    Why even take the risk?
    I'd rather fuck a stranger without a condom than browse without noscript and adblock.

  6. It's never been about the specific tech by FireballX301 · · Score: 4, Insightful

    A bad ad network is a bad ad network, whether they're sending out flash units, html5 units, or putting up billboards on a highway overpass. A middleman injecting malware doesn't care what the underlying tech is, they care about if the network vets their shit on delivery.

    Nobody with a brain thought HTML5 was 'more secure' than Flash in of itself.

    1. Re:It's never been about the specific tech by Anonymous Coward · · Score: 1

      Going to get modded down but regarding HTML5 they did and do. Flash is the boogieman everyone can hate, underneath though they have been using other methods for a while though. Ads in fonts, embedded metrics in URLs, etc.

      Google randomly uses DNS as their backend by making encoding data in hostnames. They dont' have to resolve to anything the fact that you tried is enough and they are under google.com not googlesyndication. We have a name for it - command and control. It isn't new nor did Google create the idea.

    2. Re:It's never been about the specific tech by brewthatistrue · · Score: 1

      Sure, but Google Chrome allows you to disable Javascript and force click-to-play for flash.

      Last I checked, there is no such thing as "click to play" for HTML5 in Google Chrome.

      http://arstechnica.com/informa...

      I would say it's an oversight, except Google is an advertising company.

  7. Wouldn't be an issue if Firefox was relevant. by Anonymous Coward · · Score: 2, Interesting

    If anyone is to blame, I think it would be Mozilla for making Firefox irrelevant by trying to imitate Chrome, even when Firefox's users said very emphatically that they didn't want that.

    Firefox used to have over 30% of the market. Now the latest market share stats show that Firefox is down to maybe 7% across all versions on the desktop, with essentially no mobile presence at all.

    When Firefox had 30% of the market, it was a force to be reckoned with! It held real sway over how the web developed. But then it's like the Firefox developers decided to throw it all away, for no good reason at all. I think that they trashed Firefox's UI, they added unwanted crap like Pocket and Hello. They even embedded ads into Firefox! Now Firefox is down to just 7% of the market, and this number is dropping. Nobody cares about a browser with only 7% of the market.

    And don't waste your time trying to blame Firefox's decline in market share on Google advertising Chrome, or mobile becoming more widely used than desktop browsers (which isn't actually the case), or any other bullshit excuse like that. It was the numerous unwanted changes that Firefox's developers made that drove a large mass of Firefox users away.

    Firefox users were faced with a really bad set of choices: either they could use Firefox and get a slow, bloated Chrome-like experience, or they could use Chrome and at least get a fast, lightweight experience. So they did the only sensible thing and used Chrome, even if they hated it. At least it wasn't as bad as the alternatives!

    I think that the web would have been very different if Firefox had been developed sensibly, instead of what actually happened to it. Chrome would probably be much less used, and we'd see a more open and less commercialized web. Mozilla could have turned Firefox into a champion of privacy and an ad-free web. Instead all we ended up with was a shitty imitation of Chrome that has no influence at all on the web.

    1. Re:Wouldn't be an issue if Firefox was relevant. by Luthair · · Score: 1

      The current Firefox UI is great and significantly better than it was prior to Chrome, though I'd rather they didn't include things like Pocket.

      Firefox's market share fell because Chrome generally makes sense for people who aren't interested in technology. With automatic updating and bundling flash & pdf reader the biggest attack vectors were mitigated.

    2. Re:Wouldn't be an issue if Firefox was relevant. by clubby · · Score: 1

      The current Firefox UI is intolerable to me. So is the current OS X Safari version (I want my goddamn title bar back!) The only browser I can stomach right now is Vivaldi.

    3. Re:Wouldn't be an issue if Firefox was relevant. by beastofburdon · · Score: 1

      Dude, just hit alt. It brings up the same menu you are used to.

    4. Re:Wouldn't be an issue if Firefox was relevant. by clubby · · Score: 1

      I mostly use Mac OS, so "alt" is called "option" and I don't have to touch it to see the menu bar, because that's just how Macs are. This isn't about the hamburger menu.

    5. Re:Wouldn't be an issue if Firefox was relevant. by beastofburdon · · Score: 1

      Fair enough, Vivaldi is getting pretty good too. I need to give it another look soon. It wasn't quite good enough to become my main borwser the last time I checked.

  8. Re:you brought this on yourselves by MobileTatsu-NJG · · Score: 1

    They didn't block 'ordinary banner ads', they blocked pop-ups. Your troll-fu is weak.

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  9. Re: Why can't we... by fustakrakich · · Score: 1

    Eh, no biggie, just block javascript and flash... and HTML

    --
    “He’s not deformed, he’s just drunk!”
  10. Who assumes any advertisement is "safe" by Anonymous Coward · · Score: 1

    Who among us in the inter-webs or you-tubes (yeah.. slang) ... you know who you are.. thinks that there is any vector, avenue or north-star-ip-address that the abomination called advertising/malvertising/malware/state-sponsored attacks cares about our own personal computer security? No new protocol/process/add-in or anything ratified by the IETF isn't immediately subjected to the violent will of those people/agencies/acting-countries that don't care about you but only care about the end-result being their profits?

    Don't get me wrong... Adobe Flash is the bane of my IT role but it was just another in a long series of attack profiles that I have to defend against. The list won't end.. the patches won't end because the actors that can profit from an exploit are like prisoners in a prison. They have time.. lots of time...

    Peace out.

  11. This is a friggen advertisment for GeoEdge by Timmy+D+Programmer · · Score: 1

    They are arguing that they will still be relevant, when the vast majority of their usefulness evaporates.

    --


    (If at first you don't succeed, do it different next time!)
  12. "The real culprit" by bill_mcgonigle · · Score: 1

    The real culprit is the ability to send JavaScript code at runtime

    Derp. The "real" problem with Flash is its use as a vector for installing malware via buffer overflow (usually) attacks. Those are distributed via ad networks.

    Javascript injection is a separate issue, and there are other Flash privacy concerns, but that's not why people are screaming from the hills that Flash must be exterminated.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  13. Re:And firefox sucks by NotInHere · · Score: 2

    You now have to download, trust & configure a third-party plugin to block javascript.

    No, no plugin needed at all. You just need to:

    1. go to about:config (read more about about:config here: http://kb.mozillazine.org/Abou...)
    2. toggle the option javascript.enabled to false

    And no, disabling javascript does not miraculously protect the user from almost all exploits. Some time ago, firefox has used a fonts library. Simply loading a font then could infect you. They've changed it since.

  14. The point of killing flash by rsilvergun · · Score: 2

    is that Adobe doesn't put enough $$$ behind security. It's not any easier for Google/Mozilla/Microsoft to do this but Google/Mozilla are open source and Microsoft has deep pockets and juicy gov't & corporate contracts as the incentive to spend money on security.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  15. Should Javascript be next by CaroKann · · Score: 2

    How many technologies have died in large part due to security issues? VB and VB Scripting, ActiveX, Silverlight, Flash, Java, Browser plugins: the list goes on.
    So when is JavaScript going to be tossed?
    It's frustrating for so many client end technologies to be tossed partly due to the security issues they brought.
    In a way, I actually miss the days when most applications were written using VB or MFC style interfaces, and GUI widgets were being developed and released by the hundreds.

    1. Re:Should Javascript be next by Aighearach · · Score: 1

      VB is still a very common language, users just don't have any way of knowing what language was used because it still gets packaged as an .exe and they don't plaster VB onto the installer anywhere.

      Same is true of Java. Lots of things are still Java. Few people will reject software at the installer stage just because it asks to install Java, and once it is installed, new Java programs don't give you any hint about it.

      Flash isn't trendy, but I don't think usage as a serious tool has gone down; casual and malware usage is moving, obviously.

      ActiveX is very popular for enterprise intranet applications.

    2. Re:Should Javascript be next by Tablizer · · Score: 1

      I suspect the poster meant client-side variations of VB. MS wanted VB-script in browsers to compete with client-side JavaScript.

      The plan failed and VB-script is mostly dead on the client-side, but indeed is still common server-side, in desktop apps (as VBA), and for OS scripting.

      --
      Table-ized A.I.
    3. Re:Should Javascript be next by allo · · Score: 1

      JS will be tossed at the day, that the government closes facebook.

  16. Re: Why can't we... by AchilleTalon · · Score: 2

    Are you shitting us? The advertisers would have never stick to gif and animated gif for their ads campaign. They want to know about you and everybody. The more they know, the higher they can charge for an advertisement campaign to their customers. They would have used any eye candy possible to get people's attention. So, that is completely false to say they would have stick to animated gif. They are basically blood suckers with a budget.

    These f... morons should be threaten without pitty until they discipline themselves. The website owners don't like ad blockers and javascript blockers, however they are asking people to let these morons to penetrate our computers without any regrets. They can all go to hell if you ask me.

    --
    Achille Talon
    Hop!
  17. VAST & VAPID by Scorch_Mechanic · · Score: 1

    I had no idea the advertisers were so willing to so accurately describe their efforts. It's such a delightful misread that I'm starting to wonder if they were created with intent.

    --
    You should turn signatures off.
  18. FUD by pinkushun · · Score: 1

    I don't believe the absurdity of this article, and this research paper! It's claims read as if contrived and there are no references to support them. Moreover GeoEdge then offers their own product as a solution to these claims.

    Truth is you are not safe from malicious advertising regardless the vector, flash, Javascript or plain text email.

  19. Re:Why can't we... by Yvan256 · · Score: 2

    If something is moving on the page, it prevents me from reading. Why can't we just do static PNGs and JPEGs?

  20. Re:The problem isn't Flash, HTML5, or Javascript by xvan · · Score: 1

    You gain nothing with that, for most people on the XXI century, the browser is the OS (or almost).

  21. Rating System? by Tablizer · · Score: 1

    Time for an ad-intrusion rating system, somewhat like movie ratings. A site and/or ads that want to be rated would pay to be audited and rated. Browsers would have to option of skipping sites with poor ratings and/or shutting off images, JS, etc.

    Because sites would risk losing traffic if they have poorly-rated ads, they'd have an incentive to pay for being rated and monitored.

    It would probably take a mutual agreement among at least a few big tech companies to get enough momentum to take hold.

    --
    Table-ized A.I.
  22. Re:Why can't we... by Merk42 · · Score: 1

    because muh bandwidth. Anything not related to the content I shouldn't have to download. Much like how I cut out all the ads in a magazine so I don't have to carry around its combined weight.

  23. Re:And firefox sucks by gnupun · · Score: 1

    Global js disable is a bad idea because all sites need js to function. Why should the user be forced to run js inside some random ad? It's Firefox's fault for not blocking javascript from third-party domains. Third-party sites are welcome to show text or image ads, but they should not be allowed to run javascript code.

    Blocking 3rd party js would also solve the problem of tracking by sites like google analytics and addthis.com fingerprinting.

  24. Re:And firefox sucks by epine · · Score: 1

    Global js disable is a bad idea because all sites need js to function.

    In much the same way that "all $S need $J to function", where:

    $S = "Soviet diplomat"
    $J = "lapel camera"

  25. practise safe web use by Idisagree · · Score: 1

    use an ad-blocker.

  26. Nothing to see here. by Dagmar+d'Surreal · · Score: 2

    This article is pure, unadulterated bullshit. Probably the only truly honest thing in there is their admission that they have services available. It is not a "study" in any reputable sense of the word, and Softpedia is basically lying to you by calling it that. Softpedia is also very blatantly conflating vulnerabilities with mere attack vectors.

    Let me highlight for you the most glaring example of "using a lot of words to lie" that are in the "study" they're linking to... Starting right in the middle of page two they try to compare and contrast a malvertising attack that uses flash as a vector and one that uses HTML5. Unfortunately for them, their HTML5 example is not only fairly nebulous but they cite a redirection to the Angler Exploit kit as if this really meant anything more than an attempt at compromise. One might then ask... what mechanisms does the Angler Exploit Kit use to compromise the system running the browser? Well... That's primarily exploiting vulnerabilities in Flash. This sort of logical shortcoming means one of two things... Either the author is too ignorant to speak authoritatively on the matter or they're just lying. Take your pick.

  27. Good luck "not visiting" Goatse/Rickroll by tepples · · Score: 1

    The Goatse and Rickroll fads relied on social engineering a user to visit an unintended site. If "not visiting the site(s)" were practical for a non-technical user to accomplish, then those fads would never have happened.

  28. Re:AdBlock+ = inferior & 'souled-out' vs. host by brewthatistrue · · Score: 1

    what about noscript? https://noscript.net/

    umatrix? https://github.com/gorhill/uMa...

  29. Re: Why can't we... by allo · · Score: 1

    nope. The malicious adserver standards came before anti-adblock techniques, just because it's possible.

  30. Re:And firefox sucks by allo · · Score: 1

    mod parent up.

  31. May I remind all by lagi · · Score: 1

    Flash ads were not replaced by HTML5 ads because of security concerns ...

  32. Re: Why can't we... by beastofburdon · · Score: 1

    I volunteer for that job!