Chrome 74 will start blocking drive-by-downloads, thwarts malvertizing

Google is moving ahead with plans to block drive-by-downloads from a website iframe, addressing a key method used to stealthily install malware on computers when visiting websites.

The move means Chrome users soon can never again expect to visit a site and face the prospect of an unseen iframe in an ad that loads malware from another site and infects a computer without the user taking any action.

The current beta of Chrome version 73, released last week, deprecates the ability for files to automatically download files from an iframe without user interaction. 

The feature will be removed entirely in Chrome 74, which is scheduled for stable release around April 23.     

“Chrome will prevent downloads in sandboxed iframes that lack a user gesture, though this restriction could be lifted via an 'allow-downloads-without-user-activation' keyword in the sandbox attribute list. This allows content providers to restrict malicious or abusive downloads,” Google notes on the Chrome platform status page for the feature. 

The idea to block these downloads has been bandied about since a 2013 proposal but went nowhere until it was reviewed again in 2017, after being raised by a Googler involved in web standards. 

Yao Xiao, the Chromium project developer who eventually took ownership of the feature's deprecation, outlined the intent of the block in a document titled “Preventing Drive-By-Downloads in Sandboxed Iframes”, as per a BleepingComputer story in January.   

“Downloads can bring security vulnerabilities to a system,” Chromium’s Yao explains, also noting that in general users would generally appreciate Chrome blocking downloads that start just by landing on a page.  

“Even though additional security checks are done in Chrome and the operating system, we feel blocking downloads in sandboxed iframes also fits the general thought behind the sandbox,” wrote Yao. 

“Apart from security concerns, it would be a more pleasant user experience for a click to trigger a download on the same page, compared with downloads started automatically when landing at a new page, or started non-spontaneously after the click.”

Drive-by-download web attacks haven't disappeared but the technique was particularly popular among exploit kits, which relied heavily on bugs in Internet Explorer and Adobe Flash Player to compromise systems. Exploit kits however have become a less prevalent threat in the past two to three years, a trend that coincided with the rise of stealthy cryptocurrency miners.   

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Googlechromedrive-by-download attacks

More about AdobeGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts