Google, Amazon push Flash closer to extinction

Internet users will get some respite from Flash-based attacks since Google and Amazon are stopping Flash ads from displaying

Google's announcement that Chrome will freeze non-essential Flash content on Web pages will give Internet users some respite from the ongoing threats posed by malicious Flash ads online.

The company announced Chrome will detect and block non-essential Flash content, the bulk of which are online advertisements, from automatically running on websites starting Sept. 1. Essential Flash content, such as embedded video players, will remain unaffected.

Google claims the changes will improve Chrome's performance and speed the loading of Web pages. The company isn't saying anything about security, but after the past month of malicious online ads popping up on high-traffic sites such as Yahoo, eBay, and MSN, the timing is very convenient.

Adobe Flash is a popular target for attackers who exploit vulnerabilities in the technology to display malicious ads and other video content. Malvertising campaigns use the ads to redirect users to sites hosting exploit kits loaded with all manner of attacks. Criminals use Flash ads to target users across a wide array of websites without having to compromise the actual site the user is visiting.

Google  for a while now has been automatically converting to HTML5 Flash files uploaded to Google Display Network via AdWords and similar third-party tools, but it continued to display ads that couldn't be converted. With the new deadline, Display Network advertisers will have to manually convert those ads to HTML5. Otherwise, Chrome users will just see a gray box when the ad attempts to display, as it will be tagged non-essential Flash content by the browser.

And if the ad is being served up by one of the many other advertising networks that doesn't convert Flash to HTML5, it will be blocked from running by default in Chrome. The only exceptions are for those users who manually set Chrome's settings to display all Flash content automatically. Users can also choose to play the frozen Flash content by clicking on the gray box and selecting the "Run this time" option.

Even if that gray box turns out to have a malicious ad, Chrome users are protected so long as they don't click to manually play that box.

The push to HTML5 ads is nothing new -- Google has been encouraging advertisers to switch away from Flash in favor of HTML5 for quite some time, and this move could nudge some of the laggards to finally make the change.

Of course, freezing Flash ads in Chrome doesn't actually solve the overall malvertising problem, as cyber criminals are good at switching tactics. When one attack vector becomes hard to use, they pivot to a new one, so there is no reason to expect cyber criminals won't start looking at new ways to compromise HTML5 ads or target other types of Flash content on the Web. Perhaps new social engineering tactics will trick users into running the frozen Flash content.

For the time being, it appears other browsers will continue to run non-essential Flash content -- and ads -- normally, which leaves plenty of users still at risk.

"Flash today, PDF tomorrow, Java anytime," said Patrick Belcher, director of security analytics at Invincea.

Researchers don't have exact figures for the number of people affected in the last round of malvertising attacks, but Malwarebytes noted that Yahoo and its sub-sites have just under 7 billion visits per month and MSN has 120 million visits per month. Not everyone saw malicious ads, and even then, only users with vulnerable software were impacted.

It's encouraging to see some progress on how online advertisements are displayed, even if they are isolated moves. Amazon also announced it would no longer display Flash ads on its sites starting Sept. 1, for example.

Google has a significant slice of the display ads market, but there are many other ad networks. The industry still needs to come to consensus on ensuring that cyber criminal advertisers don't infiltrate networks with bad advertisements.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Google

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Fahmida Y. Rashid

InfoWorld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?