HTML5 Ads Aren't That Safe Compared To Flash, Experts Say

An anonymous reader writes: [Softpedia reports:] "A study from GeoEdge (PDF), an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves. The company argues that for video ads, the primary root of malvertising is the VAST and VPAID advertising standards. VAST and VPAID are the rules of the game when it comes to online video advertising, defining the road an ad needs to take from the ad's creator to the user's browser. Even if the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections. These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users." The real culprit is the ability to send JavaScript code at runtime, and not if the ad is a Flash object, an image or a block of HTML(5) code.

Re:you brought this on yourselves

[Crashmarik]

When people bitched and moaned about ordinary banner ads and started blocking them, advertisers started making ads more intrusive. We could still have simple animated GIF ads except that you freeloaders started blocking them to begin with. Those ads were harmless but, thanks to all of you who had to go and block those ads, we're now stuck with malware and far more intrusive advertising. Thanks a lot for ruining the internet for everyone.

B.S.

http://abcnews.go.com/Business...
http://www.foxnews.com/story/2...

X10 Pop Under ads ring a bell ?
And what do you know the fist example of Malvertising is Flash
https://en.wikipedia.org/wiki/...

HTML is still better than Flash

With HTML5 ads, the attack surface is the browser. With Flash, the attack surface is the browser plus the Flash plugin.

Re:HTML is still better than Flash

But I can just not install flash. What's the best way to get rid of html5 video?

Re: HTML is still better than Flash

[Short+Circuit]

You could build the browser without video support. Actually trivial to do on Gentoo...

Gentoo. Not just for ricers.

Re:HTML is still better than Flash

Except that all the added features of HTML5 have expanded the attack surface of the browser. HTML5 is essentially just Flash that's harder to block, which you cannot uninstall, and which can run its JavaScript within the same context as the rest of the page. I see no progress.

Re: Why can't we...

[NotInHere]

Its possible to block js based ads as well, and blocking works really well, just look at the ad blocking extensions.

No, the actual reason for js was that it allows the advertisers to run their own analytics on the users. They can find out what site they browse, etc.

Ad blockers

Use them. There is literally no reason not to.
Time and again we have seen that ads are used to inject malware.
Why even take the risk?
I'd rather fuck a stranger without a condom than browse without noscript and adblock.

It's never been about the specific tech

[FireballX301]

A bad ad network is a bad ad network, whether they're sending out flash units, html5 units, or putting up billboards on a highway overpass. A middleman injecting malware doesn't care what the underlying tech is, they care about if the network vets their shit on delivery.

Nobody with a brain thought HTML5 was 'more secure' than Flash in of itself.

Wouldn't be an issue if Firefox was relevant.

If anyone is to blame, I think it would be Mozilla for making Firefox irrelevant by trying to imitate Chrome, even when Firefox's users said very emphatically that they didn't want that.

Firefox used to have over 30% of the market. Now the latest market share stats show that Firefox is down to maybe 7% across all versions on the desktop, with essentially no mobile presence at all.

When Firefox had 30% of the market, it was a force to be reckoned with! It held real sway over how the web developed. But then it's like the Firefox developers decided to throw it all away, for no good reason at all. I think that they trashed Firefox's UI, they added unwanted crap like Pocket and Hello. They even embedded ads into Firefox! Now Firefox is down to just 7% of the market, and this number is dropping. Nobody cares about a browser with only 7% of the market.

And don't waste your time trying to blame Firefox's decline in market share on Google advertising Chrome, or mobile becoming more widely used than desktop browsers (which isn't actually the case), or any other bullshit excuse like that. It was the numerous unwanted changes that Firefox's developers made that drove a large mass of Firefox users away.

Firefox users were faced with a really bad set of choices: either they could use Firefox and get a slow, bloated Chrome-like experience, or they could use Chrome and at least get a fast, lightweight experience. So they did the only sensible thing and used Chrome, even if they hated it. At least it wasn't as bad as the alternatives!

I think that the web would have been very different if Firefox had been developed sensibly, instead of what actually happened to it. Chrome would probably be much less used, and we'd see a more open and less commercialized web. Mozilla could have turned Firefox into a champion of privacy and an ad-free web. Instead all we ended up with was a shitty imitation of Chrome that has no influence at all on the web.

Re:And firefox sucks

[NotInHere]

You now have to download, trust & configure a third-party plugin to block javascript.

No, no plugin needed at all. You just need to:

1. go to about:config (read more about about:config here: http://kb.mozillazine.org/Abou...)
2. toggle the option javascript.enabled to false

And no, disabling javascript does not miraculously protect the user from almost all exploits. Some time ago, firefox has used a fonts library. Simply loading a font then could infect you. They've changed it since.

The point of killing flash

[rsilvergun]

is that Adobe doesn't put enough $$$ behind security. It's not any easier for Google/Mozilla/Microsoft to do this but Google/Mozilla are open source and Microsoft has deep pockets and juicy gov't & corporate contracts as the incentive to spend money on security.

Should Javascript be next

[CaroKann]

How many technologies have died in large part due to security issues? VB and VB Scripting, ActiveX, Silverlight, Flash, Java, Browser plugins: the list goes on.
So when is JavaScript going to be tossed?
It's frustrating for so many client end technologies to be tossed partly due to the security issues they brought.
In a way, I actually miss the days when most applications were written using VB or MFC style interfaces, and GUI widgets were being developed and released by the hundreds.

Re: Why can't we...

[AchilleTalon]

Are you shitting us? The advertisers would have never stick to gif and animated gif for their ads campaign. They want to know about you and everybody. The more they know, the higher they can charge for an advertisement campaign to their customers. They would have used any eye candy possible to get people's attention. So, that is completely false to say they would have stick to animated gif. They are basically blood suckers with a budget.

These f... morons should be threaten without pitty until they discipline themselves. The website owners don't like ad blockers and javascript blockers, however they are asking people to let these morons to penetrate our computers without any regrets. They can all go to hell if you ask me.

Re:Why can't we...

[Yvan256]

If something is moving on the page, it prevents me from reading. Why can't we just do static PNGs and JPEGs?

Re:yeah...yeah.. flash was safe...

[hairyfeet]

Well lets see about that...you replaced one format that was 1.- Allowed to be installed anywhere, 2.- Was owned by a company that had no problem not only allowing it to be bundled with anything but ALSO allowed for FOSS alternatives, and 3.- Not only did video but animation and gaming.

What did you get in return? A format that 1.- Had mandatory DRM baked in, 2.- Requires a codec that is not only owned by one of the biggest patent trolls around but is openly hostile to FOSS, 3.- MPEG-LA has made it clear they will sue FOSS companies which is why all work on supporting that format has to be done outside Berne convention countries. Oh and 4.- Doesn't support half the features of the supposedly "inferior" format its replacing, because certain corps don't want any competition with their walled garden appstores.

Yeah you are better off...if you are Google, Apple, or MSFT...everybody else? Not so much.

Nothing to see here.

[Dagmar+d'Surreal]

This article is pure, unadulterated bullshit. Probably the only truly honest thing in there is their admission that they have services available. It is not a "study" in any reputable sense of the word, and Softpedia is basically lying to you by calling it that. Softpedia is also very blatantly conflating vulnerabilities with mere attack vectors.

Let me highlight for you the most glaring example of "using a lot of words to lie" that are in the "study" they're linking to... Starting right in the middle of page two they try to compare and contrast a malvertising attack that uses flash as a vector and one that uses HTML5. Unfortunately for them, their HTML5 example is not only fairly nebulous but they cite a redirection to the Angler Exploit kit as if this really meant anything more than an attempt at compromise. One might then ask... what mechanisms does the Angler Exploit Kit use to compromise the system running the browser? Well... That's primarily exploiting vulnerabilities in Flash. This sort of logical shortcoming means one of two things... Either the author is too ignorant to speak authoritatively on the matter or they're just lying. Take your pick.

Re:yeah...yeah.. flash was safe...

[tepples]

Assuming that you're referring to replacement of SWF wtih HTML5:

you replaced one format that [...] Was owned by a company that had no problem not only allowing it to be bundled with anything but ALSO allowed for FOSS alternatives

Initially, Adobe's SWF spec was licensed under terms that specifically forbade its use to create third-party players. Adobe didn't drop that provision until the Open Screen Project in the second quarter of 2008.

[Flash does] Not only did video but animation and gaming.

HTML5 also does gaming. See Cookie Clicker and Pirates Love Daisies, for example.

[HTML5 video] Had mandatory DRM baked in

It's not mandatory. A web browser publisher can just choose not to support Netflix and Amazon video.

[HTML5 video] Requires a codec that is not only owned by one of the biggest patent trolls around but is openly hostile to FOSS

Where does the HTML5 spec require use of MPEG-4 codecs? Last time I checked, WebM (Matroska container, VP8 or VP9 video codec, and Vorbis or Opus audio codec) was also acceptable, and only pack-in browsers on proprietary operating systems (IE and Safari) fail to support WebM out of the box. Even Microsoft Edge will get WebM support come Windows 10 Anniversary Update. Besides, SWF also used H.263 and H.264.

MPEG-LA has made it clear they will sue FOSS companies which is why all work on supporting that format has to be done outside Berne convention countries

MPEG-LA licenses patents, not copyrights. The Berne Convention refers to copyrights, not patents. It looks like you've been bitten by the false equivalence of intellectual property.

Doesn't support half the features of the supposedly "inferior" format its replacing

Could you list some SWF features that aren't supported in HTML5 and can't easily be polyfilled? Because if there were, it wouldn't be possible to build Shumway, a polyfill for SWF itself.