Chrome will soon block drive-by-download malvertising

Google is tooling up in the war against malvertisers. Developers of its Chrome browser are introducing a feature that they hope will choke off one of the most malicious forms of malware infection: drive-by advertising downloads.

Automatic downloads via advertising frames are a popular cause of drive-by downloads. In these attacks, a malicious party will rent space from an online advertising network, which pays for banners on participating websites. The network serves up ads from its clients through those banners, usually based on information compiled about the website visitor. This is how websites can creepily show you ads for things you were searching for elsewhere.

In this case, things get creepier still. The attacker’s ad includes a download – usually a JavaScript executable – that takes advantage of a browser vulnerability and infects the victim’s computer.

The feature that Chrome will add is, in reality, more of a removal. Google is planning to deprecate a feature that automatically downloads any content from an advertiser.

The update comes from Yao Xiao, a developer on the Chromium open-source browser project that feeds Chrome. It isn’t his first attack on drive-by downloaders. He introduced a similar update in a January document that targets the same behaviour in IFrames – an HTML element which effectively creates a window from the host webpage into another webpage. Attackers quickly began using IFrames to spray malicious content through websites to infect users’ browsers. That update takes effect in Chrome 74, which ships in April.

The advertising frame implementation will commence at a later date, but is already on the list of forthcoming developments for Chrome. The listing says:

Download doesn’t make much sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads. Blocking download in ad frames without user gesture will make the web less abusive and more secure.

The block won’t apply to all downloads from advertising frames. Those with user gestures, such as when users actually click on something to download it, will still be allowed. From the accompanying paper:

The only kinds of downloads that can occur without a user gesture are navigations and simulated clicks on <a download> links. Therefore, our intervention will block such downloads if they occur without a user gesture.

Expect all versions of the Blink browser engine behind Chrome to support this. That means the iOS version of Chrome won’t have these protections because it uses WebKit as a rendering engine and Apple won’t permit any alternatives. Google forked away from WebKit to create Blink in 2013.

Malvertising has been a problem for years, with sites ranging from Forbes through to the Daily Mail being hit. Entire networks of fake ad agencies have helped stoke the pipeline for malicious ads. It’s a particularly damaging form of cybercrime because it undermines support for popular sites that people should be able to trust. It also drives the use of ad blockers, which in turn damages advertising-driven content models and impacts publisher profits.

The move is part of a broader campaign that Google is waging against advertisers that don’t play by the rules. Having tried to warn users about advertising redirects in November 2017, it took another swipe at rogue advertisers in November 2018, implementing a warning system for ads that behaved suspiciously or misled users.

Adverts aren’t going away, so anything that browser developers can do to make ads safer for millions of web users has to be a good thing.