HTML 5 is just as rubbish as Flash

flash_superhero_running-t2Rather than saving the world from the security nightmare which is Flash, HTML 5 might be drawing us into a bigger load of hurt, according to the latest security report.

Since Steve Jobs blamed Flash for breaking his perfect operating system, the world has been a little hard on Flash. It has been gradually downgrading it and replacing it with HTML 5.

However according to GeoEdge, an ad scanning vendor, Flash has been wrongly accused as the root cause of today’s malvertising campaigns, and switching to HTML5 ads won’t safeguard users from attacks.

The problems are in the platforms and advertising standards themselves and not Flash.

For many years, Adobe has been slow to patch vulnerablities but things changed recently after browser vendors threatened to have the plugin disabled for most of their users. But this has come too late.

But according to GeoEdge Malvertisers don’t care if ad is Flash or HTML5 they rely on standards used to build the advertising network’s infrastructure, regardless if they deliver static or video ads.

Video ads, the primary root of malvertising use the VAST and VPAID advertising standards. If the ad is Flash or HTML5, there are critical points in this ad delivery path where ad creators can alter the ad via JavaScript injections.

These same critical points are also there so advertisers or ad networks can feed JavaScript code that fingerprints and tracks users.