As its star rises, HTML5 security called into question

December 4, 2011

Any computer can be hacked, it’s simply a matter of time, motivation and, increasingly less, skill. If you want to exploit Adobe Flash, the source of much hacker inspiration, there are ready made exploit kits available for download. With Apple, Microsoft, Google, Facebook and, yes, even Adobe turning to HTML5, the question of security comes to mind.

BBC is running a lengthy bit that quotes Sophos director of technology strategy James Lyne — he sounds good casting carefully directed doubt on HTML5, which pretty much everyone agrees is the future of multimedia on the web.

“This is potentially going to be quite painful,” said Lyne. “It is more than a web language. Much more data can be stored in the browser which means that criminals can now attack the browser to steal data.”

Although it isn’t mentioned whether or not hackers are already tapping into that data — HTML5 adoption, implementation and use is still spotty — Lyne thinks this stuff is ripening for exploitation. Part of the problem is that HTML5, especially as regards security, remains undefined.

Specifically, HTML5 is designed to leverage GPS, which makes Google Maps on your Android or iPhone useful. However, because security and permissions are not fleshed out in HTML5, hackers are looking at both vulnerability and hundreds of millions of potential targets.

Hackers are evil, hackers are cool

“We have moved from a situation where we were playing a game of draughts with a slightly drunk opponent to a skilled chess player who knows all the tricks we know,” said Sophos’ Lyne.

Here he’s referencing in part the fact that he found 27 exploit kits available on the public internet just by performing a simple search — try, for example, searching for “Adobe Flash exploit kit” and you will find tools.

Similarly, if you search for “HTML5 exploit kit,” with a modicum of additional digging, you will find that hackers can create (Trend Micro) “botnets in the browser” by leveraging HTML5 — any device, any operating system. Brilliant.

Clearly, before the entire internet leaps from the fire (a.k.a. Flash) into the frying pan, much work needs to be done…

What’s your take?

Be Sociable, Share!

2 Responses to “As its star rises, HTML5 security called into question”

  1. Hongwen Zhang:

    I enjoyed the read Ronald! HTML5 stores more information within the web browser and can create more room for security breaches. The move to HTML5 can provide many benefits to an organization. It’s just as important for organizations to adopt a strong security solution capable of Deep Content Inspection (DCI). Our company, Wedge Networks, is the first in the industry to support, detect and mitigate against malware found in HTML5 specific content. Here’s a recent announcement we made on this subject:

  2. Janay Crother:

    WOW just what I was looking for. Came here by searching for %keyword%|

Leave a Reply:

Recent stories

Featured stories

RSS Windows news

RSS Mac news

RSS iPad news

RSS iPhone & Touch

RSS Mobile technology news

RSS Tablet computer news

RSS Buying guides

RSS PS3/Wii/Xbox 360

RSS Green technology

RSS Photography

Featured Content


Copyright © 2014 NS