Google plans to end drive-by-downloads threat
Google plans to integrate a new security feature in the company's Chrome browser soon that it hopes will protect Chrome users from drive-by-downloads.
The main characteristic of drive-by-downloads is that they happen without user interaction, and Google plans to block downloads that met the companies definition of unintended downloads. Google plans to implement the functionality for Chrome on all supported operating systems except for Apple's iOS operating system.
Drive-by-downloads are used in numerous attacks, e.g. malvertising campaigns or pushing malicious payloads to a user's system.
Tip: You may want to set downloads to manual in Chrome and other browsers to avoid any issues. Chrome downloads files automatically (without asking for location), and that led to a situation on Windows systems in 2017 where .scf files were downloaded to machines (and processed by Windows when the user opened the download directory).
Downloads are initiated through a number of different methods; most, e.g. clicking on download links or right-clicking on download links and selecting save options, require user interaction.
According to the design document "Preventing Drive-By-Downloads in Sandboxed Iframes" -- access it here -- downloads will fail in Chrome automatically if they meet the following conditions:
- The download is initiated without user interaction. Google notes that there are only two types of downloads that fall into the category.
- This happens in a sandboxed iframe.
- The frame does not have a transient user gesture at the moment of the click or navigation
Google notes that about 0.002% of page loads are affected by the change. The company acknowledges that there are legitimate use cases for using the functionality and notes that the "percentage of breakage is small" and that legitimate publishers have an option to bypass the blocking.
Google's implementation targets malvertising, advertising campaigns used to spread malicious downloads, first and foremost.
Interested users can check out the official bug on the Chromium website to follow development. It is interesting to note that the bug was published in 2015. It is unclear when the feature will become available but it seems likely that it will be introduced this year.
Now You: What is your take on the feature? (via Fossbytes)
@LTL Thank you for the link.
I wonder if everything he writes is SO clueless.
Im just about Bill Gates age & he has been
a dishonest money grubber since forever.
Microsoft’s practices have bordered on illegal since its inception.
Kari Finn’s idiotic un-awareness of this is ridiculous.
Although I am quite cautious about MS’s (or Crookle’s) telemetry myself, I read this very refreshing view on the matter by Kari Finn:
https://win10.guru/windows-10-telemetry-and-groundless-paranoia/
Pff. That’s nothing compared to one-click-no-confirmation-youve-just-subscribed-to-a-paid-scamservice situation on the phones!
https://www.theregister.co.uk/2015/08/11/direct_to_bill_mobile_payment_scam/
((laughin))Mr Martin when I saw the title of this thread, I thought you were talkin about them little Googler clown cars that run around takin pictures n’ stealin data
Martin, you wrote “Chrome downloads files automatically (without asking for location), and that led to a situation on Windows systems in 2017 where .scf files were downloaded to machines (and processed by Windows when the user opened the download directory).”
Did something change during or after 2017 to fix this, or is it still an issue? If something changed, what was it?
Does this issue affect Firefox in any way? Or is this specific to Google’s Chrome?
“0.002% of page loads…” Riiiiiight.
Borrowing from ilev, MS is by far the worse offender. Can’t remember when anything downloaded without user interaction beside those onerous, highly destructive Windows Updates.
“Google”…….. “acknowledges that there are legitimate use cases for using the functionality ”
WTF. ?!?!?!
…..when & where is their a legitimate reason to be Sneaking something onto someones computer..?!?!?!?!?
I definitely want to look into it.
As Im such a noob I cant use the Ghacks.js file.
I have No idea how. Im too incompetent to.LoL
Those remaining on outdated OS’s and older-style browsers are only fooling themselves.
@@@Windows 10 is by far the best operating system available today.@@@
I replaced the HD so I can sell it with Windows later…..*shrug*
probably a mistake….I’m fairly certain I could use this as is in 5-10 years….
When Firefox warns me of a malicious site I go there just as a big F.U. to them…LoL
But i’m using CloudFlare 1.1.1.1. I’m too incompetent to understand.
Im by Nature lazy…I dont want to fiddle with my Computer.
I want to turn it on & GO go go…
So,if I praise a distro its easy & it worked great for me.
I hope you enjoy your new found freedom & security.
I value my privacy ALOT more than any passworded security.<<>>>>
I use weak passwords because nothing I do on-line is risky for me.
Or truly important.
I dont use sync for my browsers…..
If I want to pass info from comp to comp I email it, Or put it on a USB.
I do on-line is risky for me. Or truly important.
When i email my self my passwords from comp to comp. That’s HIGH security don’t you think?!?
All faked passwords & logins.Let them THINK they got something.
So all those high security tech “experts†are maybe just missing the point,no?
I have a UEFI Win8 comp with a nasty UEFI virus….I blame Microsoft
BIOS was pretty safe until They got involved.
Maybe, Im too incompetent to.LoL
Sorry about above comment thats something I posted along time ago
On a different topic.
Dunno how it got here LoL
I thought you were a Linux enthusiast?
There isn’t. It’s marketing excuses for not having this nonsense fixed since day one. And this is not only about Chrome, I hope other browsers to do the same.
Big deal. Google is the drive-by!
They really suck.
But the sheep fall for them Bha, Bah.
My 2 cents. I know what Google is. But at the same time it’s the only one that gives me 15 GB for free. So I know exactly what I have signed for. Even MEGA has downgraded their cloud service to 15 GB, Amazon to 5 GB, Microsoft to 5 GB, Dropbox to 2 GB. Let me know about a service which gives so many free GB and has good upload and download speeds with no caps like MEGA and I will stop using Google. Until then I have no problem if they spy on me. Until then I like being a sheep, Bha, Bah.
@Bha, Bah
Maybe you should check pCloud: they offer 10GB for free and up to 20GB through referrals. It works on web browser and all major OS.
Regardless of what service provider you choose you should consider using Cryptomator to encrypt your files locally before uploading them to the cloud.
Thank you thebrowser for the suggestion. I have tried pCloud. pCloud recently changed the way it does business. Where once you got 10GB of free storage plus one gig for every friend you referred to the service, you now get 2GB straight out the gate and have to earn the other 8GB. It’s very difficult now to have multiple 10GB accounts. Initially only 2GB is free, the other 8GB needs to be unlocked. Whatever I try I always go back to Google like a sheep….
True that, I didn’t realize it worked that way although it doesn’t seem to be such a big deal, all you have to do is verifying email address, upload your first file, download their desktop client, download their app, turn on backups…
These are all pretty normal and expected things to do, it will take you less than 5 minutes, and most of them can deactivated/uninstalled later once you unlock the extra space. To be honest it took me longer to write this comment than to sign up for a dummy account. Not sure why you’d find it difficult to use at all.
And if you do need several accounts because you have so much data you should probably get a paid account (regardless of the service provider). I mean, free stuff is nice and all, but you’d get much more space and plenty of benefits, and none of the inconveniences and space limitations (specially if you really do have so much data to backup and which you need to keep track of throughout multiple accounts).
Anyway I my advise to use Cryptomator regardless of what you choose to do with your data still stands.
Yes, I agree. I need around 300 GB, I have 10 Google accounts, I will try pCloud again, but it’s not that easy to do all these to 20 pCloud accounts, and it’s = a nightmare to handle my files in 20 accounts. Yes, I encrypt my data with rclone in Google Drive. The good thing about pCloud is that it has a one time purchase option. I am not going to pay every month for 300 GB. But pCloud one purchase option is not a bad option. I will try pCloud again.
Google is the drive-by, so true. On how many computers was Chrome installed by bundling with some other ethically-challenged software ?
The paradox of current times is that software that markets itself as secure and protecting us from malware is often the worst threat itself when measuring it by damage done times number of installs.
Wish they could block Microsoft’s automatic updates :-)
Look how much data Win 10 sends to Microsoft nearly continuously. Every time you use ANY Microsoft app or service you are being tracked. https://hackmag.com/security/what-data-windows-10-sends-to-microsoft-and-how-to-make-it-stop/