Saturday, November 28, 13:59
Home inet Browser programs continue to allow drive-by-downloads!

Browser programs continue to allow drive-by-downloads!

By 2020, many browsers still allow drive-by-downloads from secure environments, such as iframes with sandbox. For those unfamiliar with drive-by-download, it describes a user's visit to a site and the subsequent download of a file without user interaction. This technique can be used to distribute unwanted software and malware in the "hope" that users will accidentally or accidentally download and become infected.

New research from Confiant advertising security company shows that secure environments, such as sandbox iframes, can be abused to allow drive-by-downloads when visiting a site. As most ads appear on a website via iframe, malicious advertisers can use them to deliver unwanted applications that infect users' computers.

In January 2020, visitors to the Boing Boing website began to see fake coverage Google Play Protect pushing users to download a malicious APK installed by Anubis banking Trojan in devices Android. Windows users have a fake Adobe Flash installation page that distributes other malicious programs. Having initially estimated that it was one campaign malicious advertising, it was later discovered that the CMS of Boing Boing had been breached and an scenario was introduced that shows these overlaps to visitors. Following the investigation of this attack, a Confiant researcher, O. Eliya Stein, noticed that the drive-by-download started from JavaScript which is embedded in the page. This script would create a link to the page and click on that link, without any user prompting, to start downloading.

While it turned out that this attack was not malicious advertising, Stein wondered if a similar attack could be started through malicious advertising using sandbox iframes. As mentioned earlier, most ads use iframes with sandbox to integrate advertising on a website. As ads are controlled by a third party, these iframees are usually used with the sandbox argument to increase security and limit the actions that a third party page can perform. To find out if the same scenario described above would cause an APK to be downloaded to multi-source sandbox iframes, which is an iframe loaded with a different central computer name, Stein created an experimental page to try different browsers. When creating this sandbox iframe, Stein used the following restrictions commonly used by ads: allow-forms allow-pointer-lock allow-popups-to-escape-sandbox allow-popups allow-same-origin allow-scripts allow-top-navigation-by-user-activation.

The good news is that with its release Chrome 83, downloads are excluded in multi-source iframes with sandbox and so the drive-by-download technique did not work. To allow downloads, a developer must add "allow-downloads" to the sandbox price. Microsoft Edge, which is based on Chrome 83, also includes this new feature and excludes the drive per download. THE Mozilla Firefox does not block downloads in multi-source iframes and was asked by the user to download the file. The Brave Browser, which focuses on privacy and security, has also failed to block drive-by-download. His behavior Safari it was weird as he was trying to download the APK file, but in the end he never finished it. Mobile browsers were inconsistent with Stein's testing. Android browsers would ask users to download the file, with the caveat that the APK file is dangerous. Other mobile browsers do not download the file at all.

Therefore, enabling scripts to start downloading in what is expected to be a secure environment is problematic, as it could allow malware to be distributed through malicious ads. While the Chrome 83 and Microsoft Edge 83 excludes both downloads in iframes with sandbox, Brave and Firefox still allow it. In a Mozilla Firefox error post, Firefox developers have already completed the code to block downloads on iframes with sandbox and will add it to the browser soon. Finally, it is not known whether Brave, Safari and the affected mobile browsers will solve the problem in the future.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.


How to choose which extensions will appear in the Edge toolbar

Extensions to Microsoft Edge can make your browser more useful. But sometimes you may not like it ...

COVID-19 vaccines: North Korea hacks drugs

South Korea, to be precise, its intelligence service, has thwarted North Korea's efforts to invade South Korean companies ...

Drupal: Security updates to deal with exploits

The developers of the Drupal content management system (CMS) have released emergency security updates due to the availability of some exploits, which can put in ...

How to disable "Get even more out of Windows" in Windows 10

Does it bother you that "Get even more out of Windows" appears every time you update to Windows 10? May be...

The US military is investigating "telepathic" communication technology

The U.S. Army Research Bureau is funding a new study on how brain signals could ...

Canon acknowledged the ransomware attack in August

About three months later, Canon publicly confirmed the ransomware attack it suffered in early August, which affected servers ...

Hackers love expired domains

Sometimes, website owners do not want to continue to have a domain name and allow it to ...

Word: How to add the same text to multiple documents with one link

Microsoft Word makes it easy to add the same text to multiple documents. This is especially convenient for text with special formatting, the ...

Black Friday: Cybercriminals are monitoring your shopping

Due to the conditions that have emerged from the pandemic of COVID-19, the online shopping will be particularly high on Black Friday and ...

US fertility: Ransomware attack on the largest fertility network in the USA!

US Fertility, the largest fertility network in the US, announced that some of its systems were encrypted in an ransomware attack that ...