AOP - Association of online publishers

AOP on Youtube
AOP on Twitter
AOP on LinkedIn
AOP on Facebook

GeoEdge: Security Aspects of Flash, HTML5, and Video in the Ad Tech Industry

For the last several years, Adobe Flash has been an enemy of the online community. In general, the position is well deserved: there were more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year. In 2016, Flash continues to hold that privileged position, sharing it with its brother, Adobe AIR, a system created for cross-platform mobile and desktop applications. These vulnerabilities have been, and continue to be, heavily used by attackers in some of the most dangerous and prevalent web attacks today. The weapon of choice for such attacks is known as an exploit kit, which silently attacks users and attacks malicious software on their endpoints (the user’s computer).

 

In direct contrast to Flash, the community has condence in HTML5, which is being intensively pushed forward by major digital companies like Google, Amazon, and other big players. They consider HTML5 as the more secure and less resource-greedy alternative. Microsoft has also joined the movement recently by adding the Flash auto-pause in their Edge browser. Since there are many proponents pushing for Flash to be prohibited from use in an ad creative, with HTML5 as it replacement, this begs the question: Will the use of HTML5, in place of Flash, prevent malvertising attacks?

Twitter Facebook

HTML5 vs. Flash Before we delve into the logistics of replacing one technology with another, let’s review the reasons why developers prefer one technology over the other. Below is a feature comparison:

 

• Size: HTML5 ads are larger in le size than Flash-based ads. This is because HTML5 ads include the backup images, click tags/codes and other elements. Flash ad sizing, however, is based on the creative size only. Because of this, HTML5 ads are around 100Kb larger.

 

• Cost: Constructing Flash ads can be costly. You have to create a Flash ad for every possible size placement. Once you create an HTML5 ad, the ad is responsive to all possible sizes.

 

• Convenience: Unlike Flash, which requires a dedicated plug-in, HTML5 can render multimedia content easily without plugins or player applications. However, the downside to this is that some older browsers do not support HTML5.

 

• Picture Clarity: Flash has greater image clarity, as it can oer sub-pixel support. This results in crisper images. HTML5 can lead to inconsistency and unreliability in display.

 

• Mobile Support: HTML5 oers better support for mobile sites. Flash is PC-based only, giving HTML5 a large advantage over Flash as we move into an era of mobile-web accessibility. HTML5 oers much better cross-device support.

 

• Development Resources: Flash has a large resource pool and even larger community, whereas HTML5 is still a fairly new technology with a growing community and some still-prevalent inconsistencies and support issues.

 

• Parent Company: Flash is not an open standard; it is controlled by ADOBE systems. HTML5 is largely controlled by the Web Hypertext Application Technology Working Group (WHATWG), managed by Mozilla, Opera Software and Apple.

There are three stages for the video ad lifecycle in a malvertising attack:

 

1. Ad Creation: Building the ad

2. Ad Delivery: Serving of the ad

3. Infection Procedure: Performing malvertising objectives, aka installing malware onto the user’s computer

 

The proponents pushing for Flash to be prohibited from use in an ad creative are saying that HTML5 is the remedy that can handle security threats in the advertising industry. It stands to reason that if the ad unit itself is clean, then the user won’t have any problems. Unfortunately, this is an inaccurate statement. Malvertising attacks using video ads were already occurring in late 2015 and early 2016.

 

Let’s take a look at a couple of examples: In the rst attack scenario (picture below), a malicious Flash ad unit was loaded into a legitimate Flash video player with VAST/VPAID support. The ad carried malicious JavaScript code inside, which was then executed by the ActionScript ExternalInterface.call function.

 

As a result, there was a malicious pop-up that tried to convince the user to update their Chrome browser. If the user clicked on “Accept and Install”, then the malware was installed and infected the user’s computer.

Download pdf above to read the full white paper

Twitter Facebook
AOP on LinkedIn
AOP on Twitter
AOP on Facebook
AOP on YouTube