Google's announcement that Chrome will freeze non-essential Flash content on Web pages will give Internet users some respite from the ongoing threats posed by malicious Flash ads online.
The company announced Chrome will detect and block non-essential Flash content, the bulk of which are online advertisements, from automatically running on websites starting Sept. 1. Essential Flash content, such as embedded video players, will remain unaffected.
Google claims the changes will improve Chrome's performance and speed the loading of Web pages. The company isn't saying anything about security, but after the past month of malicious online ads popping up on high-traffic sites such as Yahoo, eBay, and MSN, the timing is very convenient.
Adobe Flash is a popular target for attackers who exploit vulnerabilities in the technology to display malicious ads and other video content. Malvertising campaigns use the ads to redirect users to sites hosting exploit kits loaded with all manner of attacks. Criminals use Flash ads to target users across a wide array of websites without having to compromise the actual site the user is visiting.
Google for a while now has been automatically converting to HTML5 Flash files uploaded to Google Display Network via AdWords and similar third-party tools, but it continued to display ads that couldn't be converted. With the new deadline, Display Network advertisers will have to manually convert those ads to HTML5. Otherwise, Chrome users will just see a gray box when the ad attempts to display, as it will be tagged non-essential Flash content by the browser.
And if the ad is being served up by one of the many other advertising networks that doesn't convert Flash to HTML5, it will be blocked from running by default in Chrome. The only exceptions are for those users who manually set Chrome's settings to display all Flash content automatically. Users can also choose to play the frozen Flash content by clicking on the gray box and selecting the "Run this time" option.
Even if that gray box turns out to have a malicious ad, Chrome users are protected so long as they don't click to manually play that box.
The push to HTML5 ads is nothing new -- Google has been encouraging advertisers to switch away from Flash in favor of HTML5 for quite some time, and this move could nudge some of the laggards to finally make the change.
Of course, freezing Flash ads in Chrome doesn't actually solve the overall malvertising problem, as cyber criminals are good at switching tactics. When one attack vector becomes hard to use, they pivot to a new one, so there is no reason to expect cyber criminals won't start looking at new ways to compromise HTML5 ads or target other types of Flash content on the Web. Perhaps new social engineering tactics will trick users into running the frozen Flash content.
Sign up for CIO Asia eNewsletters.