Security Experts:

HTML5 Won't Stop Malvertising, Brings New Threats

Flash is one of the most abused pieces of software in use. Flexera Software's Vulnerability Review 2016 counts 457 vulnerabilities in 2014 and 2015 (second only to Chrome with 516 vulnerabilities). But Flash is the attacker's tool of choice. For example, as recently as late May 2016 Malwarebytes reported on a malvertising campaign exploiting Flash and redirecting users to the Angler exploit kit.

Such abuse is behind current browser campaigns to deprecate the use of Flash while browsing. In April 2016 Microsoft announced  that Flash content not central to the page itself (such as games) would be automatically paused in Windows 10 (Edge browser). The intent is to spur the adoption of HTML5 for animated content. In May 2016 Google announced that it would deprecate Flash and promote HTML5 within Chrome by the end of this year.

Such actions are likely to fuel a move from Flash to HTML5 for the display of web-delivered advertising. This, however, will have little effect on preventing malvertising. 

A recent report from GeoEdge, an ad scanning vendor, compares the two options. This report suggests that there are technical advantages and disadvantages in both. For example, Flash can provide better clarity with its sub-pixel support, but doesn't automatically scale to the window size as does HTML5. Flash requires greater processing power, but HTML5 adverts come in at a larger size (approximately 100kb bigger).

In terms of general security, new security vulnerabilities are regularly discovered in Flash, something that is not the case with HTML5. Nevertheless, GeoEdge makes it very clear that HTML5 will not prevent malvertising. This has nothing to do with HTML5 per se, but is down to the nature of the adverts themselves.

The primary root of malvertising lies with the advertising standards (VAST and VPAID) developed in 2012. As the Internet Advertising Bureau wrote at the time, "The significance is that advertisers using VPAID ads can provide rich ad experiences for viewers and collect ad playback and interaction details that are just as rich as the ad experience."

This ability for interaction between the user and the advertiser applies to both Flash and HTML5 adverts. "Since these standards allow advertisers to receive data about the user," writes GeoEdge, "they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code." Since, says the report, JavaScript is the base language for HTML5, "malicious code can be packaged in HTLM5 without much difficulty."

Within the last few days, researchers have discovered a ransomware strain, called RAA, entirely written in JavaScript. In theory, a future HTML5 malvertising campaign would be able to deliver ransomware directly to the user via HTML5. "JavaScript is a general purpose programming language," comments Simon Crosby, CTO at Bromium. "Once one hacker has figured out how to use it to write crypto-malware, any other hacker can simply read the source code and use it elsewhere. So I expect to see rapid re-use and many variants of this attack." The only way to prevent such breaches, he suggests, "is to use an endpoint isolation technology like micro-virtualization that hardware isolates each tab of the browser from the OS - so that crypto-malware cannot impact the endpoint."

But there is no easy third-party solution to the malvertizing problem. Changing to HTML5 doesn't help, and could make things worse. The only solution, suggests F-Secure, is for the ad industry itself to take responsibility. "Ad serving platforms should implement better security measures themselves," F-Secure's Andrew Patel told SecurityWeek. "Incoming ads should be vetted before they are served to the greater community. This can be achieved by passing them through solutions that catch malware and exploit kits. Even if this requires a sandbox approach, it is completely doable."

But there is yet another issue to consider. A 2015 study by the Simon Fraser University on the use of AdBlock Plus suggested blocking animated adverts can provide a 25% reduction in bytes downloaded. Where companies allow staff browsing on the corporate network, this can result in a considerable non-business bandwidth cost. However, this cost will only increase with a switch to larger HTML5 adverts.

Related: Top 10 Security Threats for HTML5

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.