Study Claims HMTL5 Isn’t Much More Secure Than Flash

Many websites and ad networks have banned Adobe Flash based advertising and plugins for performance and security reasons, but a new study has cast doubts on whether its modern alternative, HTML5, is actually much safer.

The report, from ad security verification specialist GeoEdge examines the latest malvertising attacks, and explores Flash and HTML5 vulnerabilities that allow for malicious code insertion.

Java Flaw

“For the last several years, Adobe Flash has become an enemy of the online community with more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year,” said GeoEdge

“These vulnerabilities have been, and continue to be, heavily used by cyber criminals in some of the most dangerous and prevalent malvertising attacks today. In response to the problems with Flash, the community has turned to HTML5, considered the more secure option. However, GeoEdge reports that the use of HTML5 will ultimately not prevent malvertising attacks.”
GeoEdge found that there are many techniques for malvertising infection that don’t require the use of Flash in the ad creative. And more worryingly, it found that even with HTML5 video ads, malicious code could be inserted into the ad itself or VAST parameters.

The problem stems from the fact that malware attacks typically utilise inserted JavaScript code. And because JavaScript is the base language for HTML5, malicious code can be packaged in HTLM5 without much difficulty, GeoEdge warned.

“Cyber-criminals can insert malicious code because of third-party code allowance,” it said. “There is nothing to prevent an attacker from injecting a malicious URL using third-party code into the VAST or XML, or from direct injection of a malicious ad unit into the site’s self-designed video player. (Other options exist which are just as effective.)”

“Cyber-criminals will continue to build malvertising campaigns because the payout is high and their risk low,” said Sagi Elgavi, vice president of R&D.

Flash Death?

The fact that HTML5 may not be as secure as first thought should prove to be sobering news for many. Flash has been criticised for years now for its security weaknesses.

Matters were not helped last December when Adobe Systems appeared to admit the demise of Flash when it has acknowledged the inevitability of an HTML5 world and said it was now “encouraging” developers and content creators away from Flash, in order to use newer web standards.

But there remains a huge amount of Flash content out there, and therefore Adobe has to keep its Flash Player as stable and secure as possible going forward.

Adobe and Apple have clashed repeatedly over Flash. Steve Jobs publicly attacked it again in April 2010, which prompted a public spat with Adobe’s CEO, Shantanu Narayen.

The bad blood between Apple and Adobe continued for some time, not helped by an Adobe ad campaign that blasted Apple for its closed approach regarding developer licensing.

Are you a security pro? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

View Comments

  • The big problem with JavaScript is that the 'so called' experts on standard committees keep adding more and more features - The result the attack area just keeps getting bigger.
    Sheer and utter stupidity!

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

12 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

13 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

14 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

15 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

18 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

18 hours ago