Despite security policies requiring user permission for websites to run Flash content, Microsoft Edge has a hidden whitelist that allows Facebook to run Flash code without consent.
As first reported by ZDNet, the whitelist was discovered by Google Project Zero security researcher Ivan Fratic, who also found security flaws involving the whitelist. The flaws include:
- An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains].
- There are already publicly known and unpatched instances of XSS vulnerabilities on at least some of the whitelisted domains.
- The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.
Microsoft Edge currently relies on a click-to-play policy for Flash, which explicitly requires users permission to run any Flash-based content. The secret whitelist allows Facebook to bypass this policy for Flash widgets sized at over 398x298 pixels and are hosted on https://www.facebook.com and https://apps.facebook.com. As ZDNet speculates, this is likely so that Edge will continue to support Facebook's legacy collection of Flash games. However, when reached for comment, Facebook told ZDNet that it never asked Microsoft to be added to a whitelist and it has since requested Microsoft to be excluded from the list.
While the two Facebook domains are the only ones currently included on the whitelist, it was much bigger prior to February. When it was originally discovered, the list contained a total of 58 URLs, including entries for Microsoft's own site, along with Deezer, Yahoo, and more. After the list's discovery, Fratric filed a bug report with Microsoft in November. The whitelist was pared down to the two Facebook URLs with this month's "Patch Tuesday" updates.
While Microsoft didn't comment on the list directly, the company told ZDNet in a statement: "We are nearing the point where Flash is no longer part of the default experience in Microsoft Edge on any site and the recent changes in February were the next step of the transition plan."
Due to security concerns, all major browsers have implemented "click-to-play" policies regarding Flash content. Adobe, the company behind Flash, has outlined plans to retire it by 2020. Microsoft, meanwhile, has announced plans to switch Edge from its own EdgeHTML engine to Chromium.
Timeline support is being removed from Microsoft Launcher on Android
Microsoft's Timeline feature on Windows 10 has seen little success since it's debut, with only a handful of applications really taking advantage of the cross-device syncing capabilities that Timeline provides. While Timeline is still part of Windows 10 today, other Microsoft products appear to be moving away from it in favor of a more traditional "recents" UI.
Galaxy Buds Live earbuds review: Are these pricey Bluetooth beans worth it?
What if headphones, were beans? That's what Samsung asked itself, and then ultimately answered with the Galaxy Buds Live. But are these pricey earbuds worth it? Or do they not even amount to a hill of beans. Beans beans beans beans.
Review: Until you Fall will punish you, but it's worth it
Until You Fall is a VR roguelite that'll challenge your skills with a blade, your wits, and your arm muscles. It's now available on the Oculus Quest, Oculus Quest 2, PlayStation VR (PSVR), and PC VR platforms including SteamVR and Oculus Rift.
Make the most of your Surface Pen and Slim Pen with these awesome apps
To really maximize the ability of the Surface Pen and Slim Pen, there are some essential apps you should check out. We've rounded up the best right here for a variety of purposes.