Google, Amazon push Flash closer to extinction

Internet users will get some respite from Flash-based attacks since Google and Amazon are stopping Flash ads from displaying

Google's announcement that Chrome will freeze non-essential Flash content on Web pages will give Internet users some respite from the ongoing threats posed by malicious Flash ads online.

The company announced Chrome will detect and block non-essential Flash content, the bulk of which are online advertisements, from automatically running on websites starting Sept. 1. Essential Flash content, such as embedded video players, will remain unaffected.

Google claims the changes will improve Chrome's performance and speed the loading of Web pages. The company isn't saying anything about security, but after the past month of malicious online ads popping up on high-traffic sites such as Yahoo, eBay, and MSN, the timing is very convenient.

Adobe Flash is a popular target for attackers who exploit vulnerabilities in the technology to display malicious ads and other video content. Malvertising campaigns use the ads to redirect users to sites hosting exploit kits loaded with all manner of attacks. Criminals use Flash ads to target users across a wide array of websites without having to compromise the actual site the user is visiting.

Google  for a while now has been automatically converting to HTML5 Flash files uploaded to Google Display Network via AdWords and similar third-party tools, but it continued to display ads that couldn't be converted. With the new deadline, Display Network advertisers will have to manually convert those ads to HTML5. Otherwise, Chrome users will just see a gray box when the ad attempts to display, as it will be tagged non-essential Flash content by the browser.

And if the ad is being served up by one of the many other advertising networks that doesn't convert Flash to HTML5, it will be blocked from running by default in Chrome. The only exceptions are for those users who manually set Chrome's settings to display all Flash content automatically. Users can also choose to play the frozen Flash content by clicking on the gray box and selecting the "Run this time" option.

Even if that gray box turns out to have a malicious ad, Chrome users are protected so long as they don't click to manually play that box.

The push to HTML5 ads is nothing new -- Google has been encouraging advertisers to switch away from Flash in favor of HTML5 for quite some time, and this move could nudge some of the laggards to finally make the change.

Of course, freezing Flash ads in Chrome doesn't actually solve the overall malvertising problem, as cyber criminals are good at switching tactics. When one attack vector becomes hard to use, they pivot to a new one, so there is no reason to expect cyber criminals won't start looking at new ways to compromise HTML5 ads or target other types of Flash content on the Web. Perhaps new social engineering tactics will trick users into running the frozen Flash content.

For the time being, it appears other browsers will continue to run non-essential Flash content -- and ads -- normally, which leaves plenty of users still at risk.

"Flash today, PDF tomorrow, Java anytime," said Patrick Belcher, director of security analytics at Invincea.

Researchers don't have exact figures for the number of people affected in the last round of malvertising attacks, but Malwarebytes noted that Yahoo and its sub-sites have just under 7 billion visits per month and MSN has 120 million visits per month. Not everyone saw malicious ads, and even then, only users with vulnerable software were impacted.

It's encouraging to see some progress on how online advertisements are displayed, even if they are isolated moves. Amazon also announced it would no longer display Flash ads on its sites starting Sept. 1, for example.

Google has a significant slice of the display ads market, but there are many other ad networks. The industry still needs to come to consensus on ensuring that cyber criminal advertisers don't infiltrate networks with bad advertisements.

Join the PC World newsletter!

Error: Please check your email address.

Tags Google

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Fahmida Y. Rashid

Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?