About Microsoft Edge's secret Flash whitelistFebruary 22, 2019
Microsoft’s Edge browser a key Flash whitelist which allows Flash articles to operate without click to perform protection on websites that are included to users.
Adobe Flash is, supported by the default browser of Microsoft’s Windows 10 operating system, microsoft Edge . Flash is set to click-to-play in the browser, also consumers can disable Flash completely in the browser settings.
Microsoft releases updates on the monthly patch day of the company to fix security problems.
It came into light recently that Microsoft employed an Flash whitelist that enabled Flash content to run on 58 unique domain with no user interaction. Websites on that list comprised entries but also QQ, Facebook, the MSN gateway, Yahoo, or even Deezer that one would not automatically expect on such a listing such as a Spanish hair salon.
Microsoft limited the listing on this month’s Patch Tuesday upgrade to only two Facebook entries and enforced the use of HTTPS for all these websites after a Google engineer filed a bug report using the company in late 2018.
According to the bug report, Flash content is allowed to load if the Flash element is larger than 398×298 pixels or if it is hosted on a few of the domains.
Attackers could exploit on the list to bypass click to play with policies or utilize XSS vulnerabilities on a few of the sites that are included. Microsoft Edge respects Flash click to play with policies on all other sites. Users will need to allow the execution of Flash content in Microsoft Edge on non-whitelisted sites.
It’s uncertain why the whitelist was added by Microsoft; it is possible it did to enhance compatibility on sites. It is uncertain which parameters Microsoft utilized to create the list while that would make sense on important sites like Flashbook that host Flash content.
The list features some arcade sites that sponsor Flash games, but doesn’t record popular arcade sites that also sponsor Flash games. It is perplexing that some websites are on the record while other are not. It is possible that some sites were added
We’ll update the article if further information comes to light.
It’s puzzling that Microsoft would include its Edge browser believing that Microsoft never fails to highlight the safety features of Edge and a Flash whitelist. Allowing sites to run content is extremely problematic from a safety point of view even on websites that are popular.
Not and taking control away revealing the truth to users is problematic not just from a safety point of view but also when it comes to trust.
You: what’s your take on this?
You are needed by ghacks. You are able to find out how to assist us here or support the site directly. Thank you. The post Around Microsoft Edge's secret Flash whitelist appeared first on gHacks Technology News.