In April last year we announced some changes to our criteria around Adware designed to ensure that users maintain control of their experience. These changes are described in our blog, Adware: a New Approach. Since then, we’ve taken policy and enforcement measures to address unwanted behaviors exhibited by advertising programs that take choice and control away from users.
Ad injection software has evolved, and is now using a variety of ‘man-in-the-middle’ (MiTM) techniques. Some of these techniques include injection by proxy, changing DNS settings, network layer manipulation and other methods. All of these techniques intercept communications between the Internet and the PC to inject advertisements and promotions into webpages from outside, without the control of the browser. Our intent is to keep the user in control of their browsing experience and these methods reduce that control.
Our evaluation criteria describe the characteristics and behavior of malware and potentially unwanted applications and guide the proper identification of threats. Learn how we classify malicious software, unwanted software, and potentially unwanted applications.
There are many additional concerns with these techniques, some of these include:
- MiTM techniques add security risk to customers by introducing another vector of attack to the system.
- Most modern browsers have controls in them to notify the user when their browsing experience is going to change and confirm that this is what the user intends. However, many of these methods do not produce these warnings and reduce the choice and control of the user.
- Also, many of these methods also alter advanced settings and controls that the majority of users will not be able to discover, change, or control.
To address these and to keep the intent of our policy, we’re updating our Adware objective criteria to require that programs that create advertisements in browsers must only use the browsers’ supported extensibility model for installation, execution, disabling, and removal.
The choice and control belong to the users, and we are determined to protect that.
We encourage developers in the ecosystem to comply with the new criteria. We are providing an ample notification period for them to work with us as they fix their programs to become compliant. Programs that will fail to comply will be detected and removed.
Enforcement starts on March 31, 2016.
Barak Shein and Michael Johnson
Talk to us
Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.
Follow us on Twitter @WDSecurity.
