Microsoft mandates browser-extension defence to malvertising
Ads writers must shape up by March 2016
Microsoft is placing the onus on browser-based security architectures to shield users from malware-laden ads.
From March 2016, programs that create ads in browsers and that are served from the Microsoft network will have to use the browsers’ supported extensions to operate.
Those building ads must therefore be sure their software is capable of running, being stopped and removed using each browser’s designated extensions.
Programs that don’t use this new approach will be detected and removed from Microsoft’s network.
“We encourage developers in the ecosystem to comply with the new criteria. We are providing an ample notification period for them to work with us as they fix their programs to become compliant,” Microsoft said in a blog here.
The new policy has been designed to thwart man-in-the-middle malware attacks and ad injection.
Microsoft unveiled plans for the new adware policy in April 2014.
Adware and other programs that don’t run via extensions in theory won’t work; those that do will, in theory, inform the user when they are present. It’ll then be down to the browser’s user to OK the program.
Before the change, adware could run following an alert from Microsoft’s security software had the user ignored the warning and taken no action.
Microsoft said Tuesday: “Now, when one of our products detects adware it will immediately stop the program and the user will be notified. The user then then [sic] has the ability to restore the program if they wish." ®