Microsoft Changing Detection of Adware and Browser Modifiers

One of the not-so-great side effects of the transition to virtually everything being done in the Web browser now is that advertisers, attackers and scammers constantly are trying to get their code to run in users’ browsers, any way they can. A lot of this is done through extensions and browser objects, some of which modify the browser settings and prevent users from making their own changes.

Browser vendors in recent years have started detecting some of these extensions as adware and stopping them from executing unwanted actions. For example, most browsers will disable new extensions until the browser is relaunched and then ask the user if she wants to run the extension. Microsoft is now changing the way that it detects unwanted behavior from extensions, not just in Internet Explorer, but in all browsers running on Windows, to help prevent extensions from bypassing dialogs intended to let users choose whether to install or run extensions.

“Some of the technical methods behind the bypasses we’ve been seeing include Group Policy settings, registry changes, and preferences file modification. For example, using Group Policy settings to sidestep your consent to install an extension is not acceptable – these features are designed only for use by organizations to deploy an extension. The bottom line is when installing an extension into the browser, barring a few exception cases (such as Internet Explorer’s ActiveX PreApproved List), the browser consent dialog should be prompted. Failure to do so can result in the application being detected as a browser modifier by our security products,” Geoff McDonald of Microsoft said.

“We’ve seen applications and extensions prevent you from viewing or modifying your browser settings, or change the settings back after you make a modification to them. This is not allowed. One prevalent example is browser extensions that don’t let you to disable or remove them.”

Malware and other kinds of unwanted programs and extensions often take great pains to hide their real intentions. They pose as other kinds of applications or make changes in the background. Browser extensions, even some legitimate ones, have adopted some of these techniques as well, and the browser vendors and other software makers have had to respond. Microsoft officials said that using these deceptive techniques will result in extensions being classified as adware.

“We have been seeing some programs modifying or replacing hyperlinks with different URLs than those used by the website owner. This includes places where a hyperlink is directly misrepresented and sends users to a different webpage than the one they expected. A hyperlink that directs a user to an advertisement before they can view the webpage they intended is also considered a misrepresentation. All of these behaviors will qualify a program to be detected as adware,” Michael Johnson of Microsoft said.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.