The company announced Chrome will detect and block non-essential Flash content, the bulk of which are online advertisements, from automatically running on websites starting Sept. 1. Essential Flash content, such as embedded video players, will remain unaffected.
Google claims the changes will improve Chrome's performance and speed the loading of Web pages. The company isn't saying anything about security, but after the past month of malicious online ads popping up on high-traffic sites such as Yahoo, eBay, and MSN, the timing is very convenient.
Adobe Flash is a popular target for attackers who exploit vulnerabilities in the technology to display malicious ads and other video content. Malvertising campaigns use the ads to redirect users to sites hosting exploit kits loaded with all manner of attacks. Criminals use Flash ads to target users across a wide array of websites without having to compromise the actual site the user is visiting.
Google for a while now has been automatically converting to HTML5 Flash files uploaded to Google Display Network via AdWords and similar third-party tools, but it continued to display ads that couldn't be converted. With the new deadline, Display Network advertisers will have to manually convert those ads to HTML5. Otherwise, Chrome users will just see a gray box when the ad attempts to display, as it will be tagged non-essential Flash content by the browser.
And if the ad is being served up by one of the many other advertising networks that doesn't convert Flash to HTML5, it will be blocked from running by default in Chrome. The only exceptions are for those users who manually set Chrome's settings to display all Flash content automatically. Users can also choose to play the frozen Flash content by clicking on the gray box and selecting the "Run this time" option.
Even if that gray box turns out to have a malicious ad, Chrome users are protected so long as they don't click to manually play that box.
The push to HTML5 ads is nothing new -- Google has been encouraging advertisers to switch away from Flash in favor of HTML5 for quite some time, and this move could nudge some of the laggards to finally make the change.
Of course, freezing Flash ads in Chrome doesn't actually solve the overall malvertising problem, as cyber criminals are good at switching tactics. When one attack vector becomes hard to use, they pivot to a new one, so there is no reason to expect cyber criminals won't start looking at new ways to compromise HTML5 ads or target other types of Flash content on the Web. Perhaps new social engineering tactics will trick users into running the frozen Flash content.
For the time being, it appears other browsers will continue to run non-essential Flash content -- and ads -- normally, which leaves plenty of users still at risk.
"Flash today, PDF tomorrow, Java anytime," said Patrick Belcher, director of security analytics at Invincea.
Researchers don't have exact figures for the number of people affected in the last round of malvertising attacks, but Malwarebytes noted that Yahoo and its sub-sites have just under 7 billion visits per month and MSN has 120 million visits per month. Not everyone saw malicious ads, and even then, only users with vulnerable software were impacted.
It's encouraging to see some progress on how online advertisements are displayed, even if they are isolated moves. Amazon also announced it would no longer display Flash ads on its sites starting Sept. 1, for example.
Google has a significant slice of the display ads market, but there are many other ad networks. The industry still needs to come to consensus on ensuring that cyber criminal advertisers don't infiltrate networks with bad advertisements.