[zwetan]

and again Flash is the scapegoat

"By converting unsafe flash-based ads to safe HTML5 ads, they lower the risk of infection from a hostile ad." is laughable at best

An Ad Network is one of the fastest way to deliver a payload to a lot of users

Don't fool yourself, Operating Systems, Browsers and HTML5/JS also have a hell lot of CVE that can be exploited

It's funny how a company like Google making Billions from ads, having ton of smart engineers, have never figured out during the last decade how to "scan ads for malware".

It's not like anyone can upload an ad to those big network, or that they don't QA the ads before delivering them ...

Imagine this unlikely scenario: malware delivered by HTML5/JS

I guess we'll all have to run for the hills if that happen

[hackerfactor]

"and again Flash is the scapegoat"

Truth hurts? Adobe Flash and Microsoft Silverlight are common exploit paths because they have new critical exploits every few days. Here's the CVE list for Flash -- notice how many critical exploits there are? It averages to about 1 every 3 days. https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...

In contrast, JavaScript itself has been pretty stable for years. I think the last vulnerability related to JavaScript ES5 impacted old Firefox browsers. http://www.cvedetails.com/cve/CVE-2015-4516/ https://www.cvedetails.com/vulnerability-list/vendor_id-452/... (Two JavaScript exploits for Firefox in 2015, both low risk.)

And HTML5? Extremely stable. There may be specific plugins or specific browsers that are vulnerable, but the underlying HTML5 specifications are very safe and have been safe for years. https://www.cvedetails.com/google-search-results.php?q=html5...

If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information. You wrote, "Browsers and HTML5/JS also have a hell lot of CVE that can be exploited". I say: Prove it. Cite your sources.

Edit: Adding links to Firefox exploit CVEs.

[zwetan]

OK, remember you asked for it

"If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information"

man, you are so full of it

want proof ? no problemo

1. CVE are organised by vendors and products

HTML and JS does not show as products, only browsers

see http://www.cvedetails.com/top-50-products.php

look #3 Firefox, #4 Chrome, #8 IE

that explains why you will never see a specific HTML and/or JS CVE, that does not mean they don't exists.

Also in term of volume, browsers have more CVE than Flash, it's all here in the numbers: Firefox 1320, Chrome 1216, but no let's ignore them and focus on Flash 713 CVE.

Just that it make your whole argument biased, the part "JavaScript itself has been pretty stable for years" is ridiculous, search for JS blackhole exploit, Rowhammer.js exploit, Heap Overflow exploit in JS, etc. you don't see them in CVE but they are here and exploitable.

It's better to think than JS is secure looking at that http://www.cvedetails.com/vendor/10288/Javascript.html

yeah no exploit in JS, none, we are all safe LOL

this for example http://www.cvedetails.com/cve/CVE-2015-0817/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 https://www.mozilla.org/en-US/security/advisories/mfsa2015-2...

you don't see it show up under the tag "JavaScript"

2. Number of CVE listed do no equals CVE exploited in the wild

so you say "It averages to about 1 every 3 days", that's completely false

1 vendor patch for a particular product can close numerous CVE at the same time so it's more like "we squashed 50 CVE in 1 day"

look at http://www.cvedetails.com/cve/CVE-2015-8449/

follow up on https://helpx.adobe.com/security/products/flash-player/apsb1...

that's 1 patch, it does not indicate 1 CVE every 3 days, look at the details

"These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, ..." that's more than 50 CVE of the same type patched and closed at the same time

Also look the "Acknowledgments", numerous security team reported all those CVE for them to be patched, there is no indications they were exploited in the wild.

Saying such things as "oh 30 CVE discovered in 1 month, so that means there were 1 CVE per day" is totally misleading, even more misleading to assume all those CVE were exploited by default (eg. "could lead to").

At best it indicates that they (Adobe and other security team) are more serious about discovering and patching those CVE and so they close more of them more often.

[aikah]

> It's funny how a company like Google making Billions from ads, having ton of smart engineers, have never figured out during the last decade how to "scan ads for malware".

Google claims they are doing just that :

https://googleblog.blogspot.fr/2016/01/better-ads-report.htm...

Now when did they start doing it is also a relevant question.