Google Chrome to add drive-by-download protection

Chrome to block automatic downloads initiated from sandboxed iframes -- the technology usually used to load ads.
Written by Catalin Cimpanu, Contributor

Google engineers have started working on adding drive-by download protection in Chromium, the open-source browser engine that Chrome is based on.

The feature is already active in the current Chrome Canary edition and is scheduled to land in the stable version, in Chrome 73, scheduled for release this spring.

For ZDNet's non-technical users, "drive-by download" is a term used in the information security (infosec) industry to describe a download that happens without the user's knowledge.

Not all drive-by downloads are considered malicious, as some URLs are meant to trigger a file download when accessed.

However, when a download is triggered on a web page from an iframe element hidden in its code, those types of downloads are almost always malicious in nature.

These usually happen when iframe elements showing ads contain malicious code that trigger the drive-by download, or when users access a hacked site where hackers left a hidden iframe to infect visiting users.

"We plan to prevent downloads in sandboxed iframes that lack a user gesture, and this restriction could be lifted via an 'allow-downloads-without-user-activation' keyword, if present in the sandbox attribute list," Google said in a public document containing its feature implementation plan that it released earlier this week.

Google intends to add drive-by download protection to all Chrome versions, except the one that ships for iOS, which isn't based on the Chromium engine, but on WebKit (Safari's engine), where this type of protection isn't yet supported.

Browsers like Internet Explorer and Firefox have been blocking some types of drive-by downloads for years, since at least 2015, but none block automatic downloads from sandboxed iframes.

Because this is a pretty useful security feature, other browsers based on Chromium --such as Opera, Vivaldi, Brave, and soon Microsoft Edge-- are also expected to deploy it as well.

In the long run, this feature is expected to thwart quite a few malvertising campaigns --criminal groups that hide malicious code inside ads to drop malware-laced files on users' computers.

The feature isn't expected to stop drive-by download attacks part of "watering hole attacks," a term used to describe when hackers compromise a website and leave a hidden iframe behind to trigger the drive-by download. This is because hackers already have access to a compromised site's source code, and they can just use the iframe attribute that Google engineers plan to add to instruct Chrome to disable the drive-by download protection when rendering those iframes.

Roughly 0.002117 percent of all pages loaded in Chrome trigger a drive-by download, according to Chrome statistics [1, 2].

All the Chromium-based browsers

Editorial standards