Skip to content
Naked Security Naked Security

Chrome will soon block drive-by-download malvertising

A new Chrome feature hopes to choke off one of the most malicious forms of malware infection: drive-by advertising downloads.

Google is tooling up in the war against malvertisers. Developers of its Chrome browser are introducing a feature that they hope will choke off one of the most malicious forms of malware infection: drive-by advertising downloads.

Automatic downloads via advertising frames are a popular cause of drive-by downloads. In these attacks, a malicious party will rent space from an online advertising network, which pays for banners on participating websites. The network serves up ads from its clients through those banners, usually based on information compiled about the website visitor. This is how websites can creepily show you ads for things you were searching for elsewhere.

In this case, things get creepier still. The attacker’s ad includes a download – usually a JavaScript executable – that takes advantage of a browser vulnerability and infects the victim’s computer.

The feature that Chrome will add is, in reality, more of a removal. Google is planning to deprecate a feature that automatically downloads any content from an advertiser.

The update comes from Yao Xiao, a developer on the Chromium open-source browser project that feeds Chrome. It isn’t his first attack on drive-by downloaders. He introduced a similar update in a January document that targets the same behaviour in IFrames – an HTML element which effectively creates a window from the host webpage into another webpage. Attackers quickly began using IFrames to spray malicious content through websites to infect users’ browsers. That update takes effect in Chrome 74, which ships in April.

The advertising frame implementation will commence at a later date, but is already on the list of forthcoming developments for Chrome. The listing says:

Download doesn’t make much sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads. Blocking download in ad frames without user gesture will make the web less abusive and more secure.

The block won’t apply to all downloads from advertising frames. Those with user gestures, such as when users actually click on something to download it, will still be allowed. From the accompanying paper:

The only kinds of downloads that can occur without a user gesture are navigations and simulated clicks on <a download> links. Therefore, our intervention will block such downloads if they occur without a user gesture.

Expect all versions of the Blink browser engine behind Chrome to support this. That means the iOS version of Chrome won’t have these protections because it uses WebKit as a rendering engine and Apple won’t permit any alternatives. Google forked away from WebKit to create Blink in 2013.

Malvertising has been a problem for years, with sites ranging from Forbes through to the Daily Mail being hit. Entire networks of fake ad agencies have helped stoke the pipeline for malicious ads. It’s a particularly damaging form of cybercrime because it undermines support for popular sites that people should be able to trust. It also drives the use of ad blockers, which in turn damages advertising-driven content models and impacts publisher profits.

The move is part of a broader campaign that Google is waging against advertisers that don’t play by the rules. Having tried to warn users about advertising redirects in November 2017, it took another swipe at rogue advertisers in November 2018, implementing a warning system for ads that behaved suspiciously or misled users.

Adverts aren’t going away, so anything that browser developers can do to make ads safer for millions of web users has to be a good thing.


It would be kind of neat if they would alert you (unobtrusively) each time they blocked a dangerous ad.


Hopefully they don’t blindly white list their own add servers and services. Plenty of (emails/adds) linking to google resources out with malicious files out there.


Years back I would always disable Active Scripting in IE while browsing. If a site didn’t work correctly, I would simply add it to the Trusted Sites zone, or enable scripting temporarily. I had always wished for a toolbar button to do it more simply. Now it can only be done in Edge with Group Policy, I believe. No scripting = no bad stuff ever! No pop-ups, no pop-unders, no java…


With Microsoft and Google combining on developing Chromium, I wonder how long before Firefox has to either join them or go it alone and risk becoming just another Pale Moon cult browser with minimal volunteer development. No I do not see Edge gaining lot’s of users moving to Chromium, but the news is that being contributors to Chromium the engine will only get better and right now every sort of browser now except Firefox uses Chromium as their base for their browser. Mozilla has to be troubled a lot by Microsoft’s move, because it places Firefox in a really bad position of which isn’t so great anyway.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!