Flash is one of the most abused pieces of software in use. Flexera Software’s Vulnerability Review 2016 counts 457 vulnerabilities in 2014 and 2015 (second only to Chrome with 516 vulnerabilities). But Flash is the attacker’s tool of choice. For example, as recently as late May 2016 Malwarebytes reported on a malvertising campaign exploiting Flash and redirecting users to the Angler exploit kit.
Such abuse is behind current browser campaigns to deprecate the use of Flash while browsing. In April 2016 Microsoft announced that Flash content not central to the page itself (such as games) would be automatically paused in Windows 10 (Edge browser). The intent is to spur the adoption of HTML5 for animated content. In May 2016 Google announced that it would deprecate Flash and promote HTML5 within Chrome by the end of this year.
Such actions are likely to fuel a move from Flash to HTML5 for the display of web-delivered advertising. This, however, will have little effect on preventing malvertising.
A recent report from GeoEdge, an ad scanning vendor, compares the two options. This report suggests that there are technical advantages and disadvantages in both. For example, Flash can provide better clarity with its sub-pixel support, but doesn’t automatically scale to the window size as does HTML5. Flash requires greater processing power, but HTML5 adverts come in at a larger size (approximately 100kb bigger).
In terms of general security, new security vulnerabilities are regularly discovered in Flash, something that is not the case with HTML5. Nevertheless, GeoEdge makes it very clear that HTML5 will not prevent malvertising. This has nothing to do with HTML5 per se, but is down to the nature of the adverts themselves.
The primary root of malvertising lies with the advertising standards (VAST and VPAID) developed in 2012. As the Internet Advertising Bureau wrote at the time, “The significance is that advertisers using VPAID ads can provide rich ad experiences for viewers and collect ad playback and interaction details that are just as rich as the ad experience.”
But there is no easy third-party solution to the malvertizing problem. Changing to HTML5 doesn’t help, and could make things worse. The only solution, suggests F-Secure, is for the ad industry itself to take responsibility. “Ad serving platforms should implement better security measures themselves,” F-Secure’s Andrew Patel told SecurityWeek. “Incoming ads should be vetted before they are served to the greater community. This can be achieved by passing them through solutions that catch malware and exploit kits. Even if this requires a sandbox approach, it is completely doable.”
But there is yet another issue to consider. A 2015 study by the Simon Fraser University on the use of AdBlock Plus suggested blocking animated adverts can provide a 25% reduction in bytes downloaded. Where companies allow staff browsing on the corporate network, this can result in a considerable non-business bandwidth cost. However, this cost will only increase with a switch to larger HTML5 adverts.
Related: Top 10 Security Threats for HTML5