Microsoft tackles man-in-the-middle ad injection with new Adware objective criteria

Microsoft is expanding its efforts to improve security in Windows 10, with its latest move set to adjust its Adware objective criteria to address the rising concerns over man-in-the-middle techniques being used to serve ads. From Microsoft:

Ad injection software has evolved, and is now using a variety of 'man-in-the-middle' (MiTM) techniques. Some of these techniques include injection by proxy, changing DNS settings, network layer manipulation and other methods. All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser. Our intent is to keep the user in control of their browsing experience and these methods reduce that control.

There are many additional concerns with these techniques, some of these include:

  • MiTM techniques add security risk to customers by introducing another vector of attack to the system.
  • Most modern browsers have controls in them to notify the user when their browsing experience is going to change and confirm that this is what the user intends. However, many of these methods do not produce these warnings and reduce the choice and control of the user.
  • Also, many of these methods also alter advanced settings and controls that the majority of users will not be able to discover, change, or control.

To address these and to keep the intent of our policy, we're updating our Adware objective criteria to require that programs that create advertisements in browsers must only use the browsers' supported extensibility model for installation, execution, disabling, and removal.

Essentially, Microsoft's renewed focus is meant to address precisely the problems inherent in Lenovo's "SuperFish" debacle from earlier this year by restricting the serving of ads to the browser only, cutting off OS-level methods. This should have the ultimate benefit, alongside other improvements in Windows 10 and Microsoft's overall ecosystem approach, of making Windows much more secure overall.

Enforcement of the new criteria is set to start on March 31, 2016. For much more, be sure to check out Microsoft's full blog post at the source link below.

Source: Microsoft