Upsetting news today from GeoEdge, not only is HTML5 not going to prevent drive by infections from ads but it also turns out that Flash was nowhere near as responsible for these infections as we thought. Hard to say which of those two facts is more upsetting but don't worry, you can still malign JavaScript. The security problems actually stem from the two advertising standards used on the web, VAST and VPAID which are the vector of infection of the JavaScript code which runs to display the ad on your browser. Follow the link from Slashdot for a detailed explanation of what is happening.
"A study from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused of being the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves."
Here is some more Tech News from around the web:
- Revive revived: Oculus DRM push shattered as DIY devs strike back @ The Register
- AMD Radeon RX 480 Hands-On Preview @ TechARP
- Remote-code execution flaw identified in OpenAPI framework @ The Inquirer
- SoftIron Overdrive 1000 is a £400 64-bit ARM server for developers @ The Register
- Chrome Bug Makes It Easy To Download Movies From Netflix and Amazon Prime @ Slashdot
- BlackBerry's turnaround stalls @ The Register
- RFC gives route leaks names, to help netops explain why traffic goes missing @ The Register
- Malware Can Use Fan Noise To Steal Data From Air-Gapped Systems @ Slashdot
The fact is that flash should
The fact is that flash should never have the permissions to install malware, end of. If HTML5 ends up being just as bad that’s because HTML5 is garbage, just like flash is.
Of course it won’t protect
Of course it won’t protect you completely.
But it will reduce the attack surface, which is the whole point of ditching flash.
That’s because the HTML/HTML5
That’s because the HTML/HTML5 standards have been corrupted to serve the ad industry, same for java script! These standards are all about taking the user’s control from them while they browse the internet.
Flash was responsible for much of the infections and HTML/HTML5 likewise, mostly via java script. It’s time to elevate the user control over the browser to the highest, and reduce the HTML5 and Java script methods to asking the user for permission to run, with the user in full control of just what keyboard and mouse events are allowed to be taken over by any web page. All ad rendering should take a back seat to the rendering of the page/content, with the user allowed complete freedom to scroll and navigate regardless of the load status of any ad content.
Users should have top level button/menu level control over their browser’s keyboard and mouse event functionality so all that ad interference can be reduced to simply displaying a simple ad graphic with no video ad content allowed. No more ads popping up in the middle of a block of text to further interrupt the users web browsing experience. No more auto loading of any HTML5/Other video ad content, the user should be allowed to set their browser to accept only a static image in place of any video ad content, and no more fancy ads that pop-up from unsuspected places on the web page. These “Standards” for HTML/HTML5 have always been developed with ad pushing in mind to serve the needs/profits of the ad pushing industry and have never been designed with any user security or privacy in mind. The internet has been transformed into the new Boob Tube, with an ad driven focus to the detriment of all else.
It’s hell just trying to read any printed content with the ads causing the content not to load, the ads jogging the page causing the reader to loose focus of what they are reading, or auto scrolling the page to draw the users attention away from the very reason that they navigated to the page in the first place. Some ads even take the bridge troll approach, and hide the content in attempt to get the reader’s attention! It’s best to avoid any companies product if their products’ advertising uses such a rude and obnoxious method to force the readers/viewers attention onto the ad.
With all the ad pushing servers pushing out their content from all over, no user is actually visiting a single domain, or HTTP address, the user is now sent to a web page that has become a portal for many simultaneous connections from many different web/domains that serve the infected ad content that is responsible for the infection problems in the first place, via Java/other web languages that can never be properly secured.
Whoopdey-effing-do! I’ve been
Whoopdey-effing-do! I’ve been saying FOR YEARS (almost an entire friggin’ DECADE, in all actuality) that Flash was not the root/cause of the problem, but absolute majority of techies on sources akin to linux.org.ru (a.k.a. LOR, one of the biggest and most notorious Linux-specific tech sources of the Slavic internet, not necessarily just Russia) were deeming me a “crazy dummy” and a “troll” instead of actually listening to the absolutely reasonable facts. In the end, I get the last laugh.
Why is there no guaranteed
Why is there no guaranteed safe ad platform? I would consider accepting ads from some publicly acknowledged and open source ad platform. Ads would have to be proven to be malware free, not track users, not write data to cookie or anywhere else on your computer and not use more than a very small percent of system resource including bandwidth. Of course we will never seen an ad platform like that so instead we will continue to block ads. Ad blocking has a very bright future. I expect that all browsing will be done via an intermediate virtual machine so that there is no trace that the ad has in fact been blocked. It is much easier to block an ad than it is to distribute one.