About Microsoft Edge's secret Flash whitelist - gHacks Tech News

About Microsoft Edge's secret Flash whitelist

Microsoft's Edge web browser users a secret Flash whitelist that allows Flash content to run without click to play protection on included sites.

Microsoft Edge, the default browser of Microsoft's Windows 10 operating system, supports Adobe Flash natively. Flash is set to click-to-play in the browser, and users may disable Flash entirely in the browser's settings.

Microsoft releases Flash updates regularly on the company's monthly patch day to fix security issues discovered in Flash.

It came to light recently that Microsoft implemented a Flash whitelist that allowed Flash content to run on 58 different domains without user interaction. Sites on that list included Deezer, Facebook, the MSN portal, Yahoo, or QQ but also entries that one would not necessarily expect on such a list like a Spanish hair salon.

edge flash disable

Microsoft limited the list on this month's Patch Tuesday update to just two Facebook entries and enforced the use of HTTPS for these sites after a Google engineer filed a bug report with the company in late 2018.

Microsoft obfuscated the list and the Google engineer had to crack it using a dictionary of known and popular domain names.

According to the bug report, Flash content is allowed to load if it is hosted on one of the whitelisted domains or if the Flash element is larger than 398x298 pixels.

Attackers could exploit the list to bypass click to play policies entirely or use XSS vulnerabilities on some of the included sites. Microsoft Edge respects Flash click to play policies on all other sites. Users need to allow the execution of Flash content in Microsoft Edge on non-whitelisted sites.

It is unclear why Microsoft added the whitelist; it is possible that it did so to improve compatibility on select sites. While that would make sense on major sites like Flashbook that still host Flash content, it is unclear which parameters Microsoft used to create the list.

The list features some arcade sites that host Flash games, but does not list equally popular arcade sites that also host Flash games. It is puzzling that some sites are on the list while other are not. It is possible that some sites were added

We contacted Microsoft for comment but have not heard back yet. We will update the article if additional information comes to light.

Closing Words

It is puzzling that Microsoft would add a Flash whitelist to its Edge browser considering that Microsoft never fails to highlight Edge's security features. Allowing sites to run Flash content without user permission is highly problematic from a security point of view even on popular sites.

Taking away control and not disclosing the fact to users is highly problematic not only from a security point of view but also when it comes to trust.

Now You: What is your take on this?

Summary
About Microsoft Edge's secret Flash whitelist
Article Name
About Microsoft Edge's secret Flash whitelist
Description
Microsoft's Edge web browser users a secret Flash whitelist that allows Flash content to run without click to play protection on included sites.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Flotsam said on February 21, 2019 at 10:50 am
    Reply

    Surely this was never going to be a secret for long.

    1. Martin Brinkmann said on February 21, 2019 at 11:06 am
      Reply

      It appears to have been in Edge for quite some time.

      1. Flotsam said on February 21, 2019 at 12:35 pm
        Reply

        Doesn’t say much for Edge users if none of them noticed.

      2. asdasd said on February 21, 2019 at 2:17 pm
        Reply

        Those ten Edge users are not security specialists.

  2. Chris said on February 21, 2019 at 11:10 am
    Reply

    My take:
    1. This discovery makes it even harder to trust Microsoft, a company that has become harder and harder to trust over the years (due to their own bad behavior). At this point, they are almost as bad as Facebook and Google.
    2. I’ll never use Microsoft’s Edge browser because of this
    3. I wonder if it also accepts flash tracking cookies on all these sites. Probably. What a nightmare.

    1. Martin Brinkmann said on February 21, 2019 at 11:37 am
      Reply

      I find it very hard to trust any of the major tech companies these days; there are simply to many blunders and incidents. Google not disclosing a built-in microphone in Nest hardware is just another recent example.

    2. Tamris said on February 21, 2019 at 11:50 am
      Reply

      Almost? They ARE as bad as the other two.

      1. John Fenderson said on February 21, 2019 at 7:51 pm
        Reply

        @Tamris:

        Yes. Who taught the other two how to be the way they are, after all?

  3. pond said on February 21, 2019 at 11:51 am
    Reply

    > It is puzzling that Microsoft would add a Flash whitelist to its Edge browser considering that Microsoft never fails to highlight Edge’s security features

    How about the obvious: user tracking?

    1. fse said on February 21, 2019 at 12:41 pm
      Reply

      more like trucking. someone paid to be on the list no doubt.

      1. AnorKnee Merce said on February 21, 2019 at 3:24 pm
        Reply

        Yes, M$ has been selling out security in Edge for money received to whitelist “flashy” websites = it’s like M$ will do anything for money$$$$ = cannot be trusted by computer users since GWX KB3035583 in July 2015.

  4. Paul(us) said on February 21, 2019 at 1:23 pm
    Reply

    Could it be because I deactivated M.S Edge in the Windows 10 start auto executed (upstart) list (This so Edge is not latent present in main memory because I do not use it) that lately in main update list, I am getting an error messages concerning flash saying MS win.10 cant install the Flash update?

  5. Weilan said on February 21, 2019 at 2:22 pm
    Reply

    Edge’s cute, little, insignificant, useless options panel/sidebar thingy is so comical and underwhelming that I can’t even feel bad for Microsoft.

  6. Jeff said on February 21, 2019 at 2:44 pm
    Reply

    This is the worst way to design software: secret feature that the user cannot control !

  7. Barabbaz said on February 21, 2019 at 2:55 pm
    Reply

    I recent the fact that Redmond downloads flash to my computer, when I want nothing to do with flash. Makes no difference if I “can disable it” and blaaaa effin BLAAAA! I do not want even one BYTE of Adobe Flash code on my computer! What I do want is an option on a clean install that says “Would you like a ridiculously massive amount of completely useless s**t installed, to slow your computer down, disrupt your workflow with endless popups and questions and recommendations that your life would be so much happier if you created a Microsoft account and annoy you until you want to switch to linux?” along with an option that says “No, and never ever ask this question again” or alternatively “Would you like to download and install a linux distribution instead of this bad joke we try to pass off as an operating system?”

  8. Steven Fleckenstein said on February 21, 2019 at 4:16 pm
    Reply

    Just helped a 91 year old client who only uses Edge and only uses 3 different web sites with a scareware attack. The one where the computer yells at you thru the speakers that you have a virus and to call Microsoft now at an 800 number, have your credit card ready. The price was $1,000 USD. Wonder if this was flash related? Sites he uses are live.com, wellsfargo.com, and cr???.com (another bond trader site)

  9. Vrai said on February 21, 2019 at 4:37 pm
    Reply

    >”It is puzzling that Microsoft would add a Flash whitelist to its Edge browser….”
    Perhaps “puzzling” – surprising? not so much ¯\_(ツ)_/¯

    >”Taking away control and not disclosing the fact to users is highly problematic not only from a security point of view but also when it comes to trust.”
    Oh, we’re wayyyyy past the “trust” phase! :)

    On a Windows machine I will actually go into my Programs and Program Data directories and delete anything Adobe Flash and Macromedia related. Maybe MS won’t let me remove it from IE but I can make it so it cannot run. In my particular use case I don’t need Flash for anything.

  10. Kevin said on February 21, 2019 at 5:42 pm
    Reply

    Two words: business deal.

  11. Dave said on February 21, 2019 at 6:00 pm
    Reply

    You gleefully carry around the cameras, microphones, and GPS trackers that Apple and Google use to collect data about every thing you do and everywhere you go and never question all those little automatic updates you get nearly every day.

  12. ULBoom said on February 21, 2019 at 7:11 pm
    Reply

    I wonder if this will remain when Chromedge is born? I kinda miss all those little flash games but haven’t reactivated flash. MS’s updates are fiascos, did they take lessons from flash?

  13. pHROZEN gHOST said on February 21, 2019 at 10:45 pm
    Reply

    Think about $$$.

    Perhaps Microsoft charges a fee to those on the whitelist?!?!?!?

  14. John IL said on February 21, 2019 at 11:41 pm
    Reply

    I use Edge off and on, from the start I turned off Flash player because any web site that needs Flash is a web site I won’t use. Plenty of much better alternatives so why expose yourself to Flash just because a web site or online game can’t update? I think the whitelist started back in IE 11 maybe it was IE 10. Doesn’t sound like it was ever a long list in Edge, but glad its reduced to just Facebook. But seriously Facebook, its 2019 isn’t it time to drop Flash already?

  15. supergirl said on February 23, 2019 at 4:40 am
    Reply

    @ Martin Brinkman
    I find it very hard to trust any of the major tech companies these days; there are simply to many blunders and incidents.

    Martin youre much to kind to these guys.
    These arent Blunders..They are not a bug ..they’re a feature. LoL

    These tech behemoths have Every Opportunity to treat us as Valued Customers..
    They NEVER do!!!

    They Lie, Cheat, Sneak, & Swindle at Every,every opportunity.
    ALL of them!!!
    Ceaselessly.
    To ALL of us.

    And WE {collectively} allow this….

    All of this can be stopped if we ALL make an effort not to be their product anymore.
    Google Microsoft Apple Facebook…Stop using them.
    Write your lawmakers & force them to pass internet laws respecting our privacy & humanity.
    Make tracking & fingerprinting ILLEGAL..
    make them throw away all of their ill gotten data.

    What business does ANYONE have with our medical records?

    Vote out those ‘representatives’ who equivocate. Rise up…

    please,…..Dont be a mushroom being fed shit in the dark..people LoL

    We are going to LOSE firefox browser as Google is making/planning/designing
    an Internet where it just wont work.

    I have nearly completely lost my ability to do a Google captcha in
    Firefox!!!

    I know… I know… too many of you think youre smarter but youre not!

    ‘They’ are paying people to sit around & figure out how to USE you…
    Its coming for us all……I dont like being ‘used’ do you..???

    “Oh Google,by your leave,…May I please use the internet”,…WTF!!!????

    This Will not stop until “we, the people” make it stop.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.