It looks like Google is finally adding “drive-by” download protection to its latest Chrome 73 browser version. Due for release in either March or April of this year, possibly along with the controversial adblock changes, Chrome will no longer allow hidden iframes to activate, and potentially download files directly to your PC without user consent.
Although a security feature already offered in Mozilla’s Firefox and Microsoft’s Edge internet browsers, at least since 2015, it’ll be another feather in Chrome’s market leading cap for sure.
As ZDNet reports, it’s understood that, according to Google, roughly 0.002117% of web pages accessible through Chrome, are infected with drive-by downloads, potentially installing malware, and other malicious programs onto unsuspecting user’s systems. Although that is seemingly a minute percentage, if you consider the fact that there’s an estimated 1.952 billion websites currently out there, that equates to 41,327 separate compromised domains, or at least at time of writing.
Although this change no doubt comes as a relief to many, it’s worth noting that if malicious entities still have access to the compromised site, all they need to do is allocate the iframe attribute into the source code once more and, instruct Chrome to disable the drive-by protection for those iframes.
This protection should be coming to all versions of Chrome 73, except that found on Apple’s iOS, as it doesn’t take advantage of the Chromium web engine. Also you can expect to see this make its way to both Opera, and the soon to be released Chromium version of Microsoft Edge as well some time during the year.