Chrome 74 will start blocking drive-by-downloads, thwarts malvertizing

  • Liam Tung (CSO Online)
  • 14 February, 2019 07:26

Google is moving ahead with plans to block drive-by-downloads from a website iframe, addressing a key method used to stealthily install malware on computers when visiting websites.

The move means Chrome users soon can never again expect to visit a site and face the prospect of an unseen iframe in an ad that loads malware from another site and infects a computer without the user taking any action.

The current beta of Chrome version 73, released last week, deprecates the ability for files to automatically download files from an iframe without user interaction. 

The feature will be removed entirely in Chrome 74, which is scheduled for stable release around April 23.     

“Chrome will prevent downloads in sandboxed iframes that lack a user gesture, though this restriction could be lifted via an 'allow-downloads-without-user-activation' keyword in the sandbox attribute list. This allows content providers to restrict malicious or abusive downloads,” Google notes on the Chrome platform status page for the feature. 

The idea to block these downloads has been bandied about since a 2013 proposal but went nowhere until it was reviewed again in 2017, after being raised by a Googler involved in web standards. 

Yao Xiao, the Chromium project developer who eventually took ownership of the feature's deprecation, outlined the intent of the block in a document titled “Preventing Drive-By-Downloads in Sandboxed Iframes”, as per a BleepingComputer story in January.   

“Downloads can bring security vulnerabilities to a system,” Chromium’s Yao explains, also noting that in general users would generally appreciate Chrome blocking downloads that start just by landing on a page.  

“Even though additional security checks are done in Chrome and the operating system, we feel blocking downloads in sandboxed iframes also fits the general thought behind the sandbox,” wrote Yao. 

“Apart from security concerns, it would be a more pleasant user experience for a click to trigger a download on the same page, compared with downloads started automatically when landing at a new page, or started non-spontaneously after the click.”

Drive-by-download web attacks haven't disappeared but the technique was particularly popular among exploit kits, which relied heavily on bugs in Internet Explorer and Adobe Flash Player to compromise systems. Exploit kits however have become a less prevalent threat in the past two to three years, a trend that coincided with the rise of stealthy cryptocurrency miners.