What part of “No Flash” doesn’t Microsoft understand?
Sergui Gatlan at BeepingComputer:
According to the initial bug report filed by Google Project Zero’s Ivan Fratric on November 26:
In Microsoft Windows, there is a file C:\Windows\system32\edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge.
The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its www.facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list.
How serious a problem is that? The BleepingComputer article goes on to quote Ivan Fratric:
This whitelist is insecure for multiple reasons:
- An XSS vulnerability on any of the domains would allow bypassing click2play policy.
- There are already publicly known and unpatched instances of XSS vulnerabilities on at least some of the whitelisted domains, for example www.openbugbounty.org/reports/5… and www.openbugbounty.org/reports/4… and www.openbugbounty.org/reports/1…
- The whitelist is not limited to https (this wouldn’t work anyway as some of the whitelisted domain don’t support https at all). Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.
BleepingComputer reproduced the list of all 58 entries in the original version of the internal whitelist that Fratric uncovered. Many of them appear to be very random.
Catalin Cimpanu, reporting at ZDNet:
Fratric filed a bug report with Microsoft last November, and Microsoft delivered a fix with this month’s Patch Tuesday fixes by restricting the list from 58 URLs to only two domains and enforcing HTTPS for all domains included on the list. The bug report also contains the original version of the whitelist, with all the 58 domains.
In its current version, Edge will allow Facebook to execute any Flash widget that has a dimension of over 398×298 pixels and is hosted on the www.facebook.com and apps.facebook.com domains. Most likely, Facebook is on Microsoft’s Edge whitelist to support the social network’s large collection of legacy Flash games.
For any other Flash widget on any other website, Edge will respect its default click-to-play policy, meaning websites are not allowed to execute Flash without users’ permission, which usually means enabling Flash execution through an address bar icon.
Commenting on Twitter, the Google security researcher showed his surprise on how and who was managing the whitelist, and how it came to be.
“So many sites for which I’m completely baffled as to why they’re there,” Fratric said. “Like a site of a hairdresser in Spain?! I wonder how the list was formed. And if [the Microsoft Security Response Center] knew about it.”
I came across this via Gary McGath’s Mad File Format Science blog, where he adds:
The article speculates that it’s to allow Facebook’s legacy Flash games to work. This doesn’t sound plausible. Why not just let users whitelist Facebook if they want those games and are willing to take the risk? It’s more plausible that supporting Flash ads is the real reason.
The old list, according to Bleeping Computer, included domains like dilidili.wang, totaljerkface.com, and stupidvideos.com. As Dave Barry would say, I’m not making this up.
This tactic puts a huge dent in Microsoft’s credibility. If they’re willing to deceive you about a “No flash” setting, why should you believe them when they say they won’t hand over your personal data? At the very least, it’s a good reason to stop using Edge and switch to some other browser.
I only have Windows around these days for a few apps that I still need to use occasionally. I use Mozilla Firefox as my primary browser on my Mac, and don’t have Flash installed at all. Microsoft, for reasons I don’t fully understand, still include Flash in Windows, and I’ve yet to find a way to get rid of it. It seems that Microsoft is choosing to minimise the amount of technical support it has to provide to Edge users, rather than prioritise keeping those users secure.
If you'd like to comment, send me an email.