Google plans to end drive-by-downloads threat
Google plans to integrate a new security feature in the company's Chrome browser soon that it hopes will protect Chrome users from drive-by-downloads.
The main characteristic of drive-by-downloads is that they happen without user interaction, and Google plans to block downloads that met the companies definition of unintended downloads. Google plans to implement the functionality for Chrome on all supported operating systems except for Apple's iOS operating system.
Drive-by-downloads are used in numerous attacks, e.g. malvertising campaigns or pushing malicious payloads to a user's system.
Tip: You may want to set downloads to manual in Chrome and other browsers to avoid any issues. Chrome downloads files automatically (without asking for location), and that led to a situation on Windows systems in 2017 where .scf files were downloaded to machines (and processed by Windows when the user opened the download directory).
Downloads are initiated through a number of different methods; most, e.g. clicking on download links or right-clicking on download links and selecting save options, require user interaction.
According to the design document "Preventing Drive-By-Downloads in Sandboxed Iframes" -- access it here -- downloads will fail in Chrome automatically if they meet the following conditions:
- The download is initiated without user interaction. Google notes that there are only two types of downloads that fall into the category.
- This happens in a sandboxed iframe.
- The frame does not have a transient user gesture at the moment of the click or navigation
Google notes that about 0.002% of page loads are affected by the change. The company acknowledges that there are legitimate use cases for using the functionality and notes that the "percentage of breakage is small" and that legitimate publishers have an option to bypass the blocking.
Google's implementation targets malvertising, advertising campaigns used to spread malicious downloads, first and foremost.
Interested users can check out the official bug on the Chromium website to follow development. It is interesting to note that the bug was published in 2015. It is unclear when the feature will become available but it seems likely that it will be introduced this year.
Now You: What is your take on the feature? (via Fossbytes)Advertisement