Google plans to improve Chrome's drive-by-download protection
Google plans to introduce a new protective feature in the company's Chrome web browser that blocks automatic downloads in ad frames.
File downloads are usually initiated by users. Users may click on links to download files, use drag and drop (from the browser to the desktop), or use the right-click context menu to download files.
Google notes that there are not many legitimate use cases for ad initiated downloads.
Download doesn't make much sense with ads. It happens very rarely in practice and is also difficult to reproduce, which implies that a very small amount of ads are doing automatic downloads. Blocking download in ad frames without user gesture will make the web less abusive and more secure.
Some downloads are initiated automatically in Chrome.
Tip: it is a good idea to block automatic downloads in Chrome.
Google identified two cases of automatic downloads that it considers problematic when they originate from an ad frame:
- Simulated activation of download links.
- Navigation-triggered downloads.
Google engineers plan to block these automatic types of downloads in future versions of Google Chrome. The feature will land in all versions of Google Chrome except for the iOS version as it is based on another architecture.
Downloads will be blocked if the automatic download originated from an ad frame. Chromium's ad detection system, AdTagging, identifies ad frames automatically and Chrome will base the blocking decision on that.
The change won't disallow all automatic downloads that originate from ad frames though. Downloads are allowed if Chrome recognizes user interaction with the element.
Downloads in an ad frame without user gesture account for 0.00001% page loads according to metrics that Google collected. The company expects that there won't be major breakage due to the low use number and the fact that a sample of top URLs did not make use of the feature at all.
Automatic downloads that originate from ad frames without user interaction will be blocked automatically and users won't receive a notification about that.
The move closes one method to attack user systems with drive-by-downloads. Drive-by-downloads push malicious files to user systems automatically using automated download functions.
Google has not set a date for the inclusion in the Chrome web browser. The tracking bug is protected at the time of writing.
Chrome is the best choice for general browser purposes, the safest browser ever imho. Last year browsing with Firefox and Chrome, four big malware problems with Firefox, none with Chrome.
@John G: “the safest browser ever imho”
I think reasonable people can disagree about that generally.
However, some of it depends on what you consider “safe”. I don’t consider any application that spies on me to be “safe”.
Ungoogled Chromium is an acceptably safe/secure fork of the Chromium code base that manages to remove EVERY trace of communication with Google while retaining every feature (sans any that are for Telemetry/phone-home/fingerprinting) of the Chrome browser, like all A/V codecs, Widevine for EME, etc. Added code patches in the form of flags for anti-fingerprinting, anti-JS, always HTTPS serve to make it far more secure/private than any standard Chromium fork.
Being a Firefox primary user; Ungoogled is the only Chromium based browser that I feel comfortable using as a fallback for FF. As such, I welcome additions such as this anti-drive-by-dl feature happily!