About Microsoft Edge's secret Flash whitelist
Microsoft's Edge web browser users a secret Flash whitelist that allows Flash content to run without click to play protection on included sites.
Microsoft Edge, the default browser of Microsoft's Windows 10 operating system, supports Adobe Flash natively. Flash is set to click-to-play in the browser, and users may disable Flash entirely in the browser's settings.
Microsoft releases Flash updates regularly on the company's monthly patch day to fix security issues discovered in Flash.
It came to light recently that Microsoft implemented a Flash whitelist that allowed Flash content to run on 58 different domains without user interaction. Sites on that list included Deezer, Facebook, the MSN portal, Yahoo, or QQ but also entries that one would not necessarily expect on such a list like a Spanish hair salon.
Microsoft limited the list on this month's Patch Tuesday update to just two Facebook entries and enforced the use of HTTPS for these sites after a Google engineer filed a bug report with the company in late 2018.
Microsoft obfuscated the list and the Google engineer had to crack it using a dictionary of known and popular domain names.
According to the bug report, Flash content is allowed to load if it is hosted on one of the whitelisted domains or if the Flash element is larger than 398x298 pixels.
Attackers could exploit the list to bypass click to play policies entirely or use XSS vulnerabilities on some of the included sites. Microsoft Edge respects Flash click to play policies on all other sites. Users need to allow the execution of Flash content in Microsoft Edge on non-whitelisted sites.
It is unclear why Microsoft added the whitelist; it is possible that it did so to improve compatibility on select sites. While that would make sense on major sites like Flashbook that still host Flash content, it is unclear which parameters Microsoft used to create the list.
The list features some arcade sites that host Flash games, but does not list equally popular arcade sites that also host Flash games. It is puzzling that some sites are on the list while other are not. It is possible that some sites were added
We contacted Microsoft for comment but have not heard back yet. We will update the article if additional information comes to light.
Closing Words
It is puzzling that Microsoft would add a Flash whitelist to its Edge browser considering that Microsoft never fails to highlight Edge's security features. Allowing sites to run Flash content without user permission is highly problematic from a security point of view even on popular sites.
Taking away control and not disclosing the fact to users is highly problematic not only from a security point of view but also when it comes to trust.
Now You: What is your take on this?
@ Martin Brinkman
I find it very hard to trust any of the major tech companies these days; there are simply to many blunders and incidents.
Martin youre much to kind to these guys.
These arent Blunders..They are not a bug ..they’re a feature. LoL
These tech behemoths have Every Opportunity to treat us as Valued Customers..
They NEVER do!!!
They Lie, Cheat, Sneak, & Swindle at Every,every opportunity.
ALL of them!!!
Ceaselessly.
To ALL of us.
And WE {collectively} allow this….
All of this can be stopped if we ALL make an effort not to be their product anymore.
Google Microsoft Apple Facebook…Stop using them.
Write your lawmakers & force them to pass internet laws respecting our privacy & humanity.
Make tracking & fingerprinting ILLEGAL..
make them throw away all of their ill gotten data.
What business does ANYONE have with our medical records?
Vote out those ‘representatives’ who equivocate. Rise up…
please,…..Dont be a mushroom being fed shit in the dark..people LoL
We are going to LOSE firefox browser as Google is making/planning/designing
an Internet where it just wont work.
I have nearly completely lost my ability to do a Google captcha in
Firefox!!!
I know… I know… too many of you think youre smarter but youre not!
‘They’ are paying people to sit around & figure out how to USE you…
Its coming for us all……I dont like being ‘used’ do you..???
“Oh Google,by your leave,…May I please use the internet”,…WTF!!!????
This Will not stop until “we, the people” make it stop.
I use Edge off and on, from the start I turned off Flash player because any web site that needs Flash is a web site I won’t use. Plenty of much better alternatives so why expose yourself to Flash just because a web site or online game can’t update? I think the whitelist started back in IE 11 maybe it was IE 10. Doesn’t sound like it was ever a long list in Edge, but glad its reduced to just Facebook. But seriously Facebook, its 2019 isn’t it time to drop Flash already?
Think about $$$.
Perhaps Microsoft charges a fee to those on the whitelist?!?!?!?
I wonder if this will remain when Chromedge is born? I kinda miss all those little flash games but haven’t reactivated flash. MS’s updates are fiascos, did they take lessons from flash?
You gleefully carry around the cameras, microphones, and GPS trackers that Apple and Google use to collect data about every thing you do and everywhere you go and never question all those little automatic updates you get nearly every day.
Two words: business deal.
>”It is puzzling that Microsoft would add a Flash whitelist to its Edge browser….”
Perhaps “puzzling” – surprising? not so much ¯\_(ツ)_/¯
>”Taking away control and not disclosing the fact to users is highly problematic not only from a security point of view but also when it comes to trust.”
Oh, we’re wayyyyy past the “trust” phase! :)
On a Windows machine I will actually go into my Programs and Program Data directories and delete anything Adobe Flash and Macromedia related. Maybe MS won’t let me remove it from IE but I can make it so it cannot run. In my particular use case I don’t need Flash for anything.
Just helped a 91 year old client who only uses Edge and only uses 3 different web sites with a scareware attack. The one where the computer yells at you thru the speakers that you have a virus and to call Microsoft now at an 800 number, have your credit card ready. The price was $1,000 USD. Wonder if this was flash related? Sites he uses are live.com, wellsfargo.com, and cr???.com (another bond trader site)
I recent the fact that Redmond downloads flash to my computer, when I want nothing to do with flash. Makes no difference if I “can disable it” and blaaaa effin BLAAAA! I do not want even one BYTE of Adobe Flash code on my computer! What I do want is an option on a clean install that says “Would you like a ridiculously massive amount of completely useless s**t installed, to slow your computer down, disrupt your workflow with endless popups and questions and recommendations that your life would be so much happier if you created a Microsoft account and annoy you until you want to switch to linux?” along with an option that says “No, and never ever ask this question again” or alternatively “Would you like to download and install a linux distribution instead of this bad joke we try to pass off as an operating system?”
This is the worst way to design software: secret feature that the user cannot control !
Edge’s cute, little, insignificant, useless options panel/sidebar thingy is so comical and underwhelming that I can’t even feel bad for Microsoft.
Could it be because I deactivated M.S Edge in the Windows 10 start auto executed (upstart) list (This so Edge is not latent present in main memory because I do not use it) that lately in main update list, I am getting an error messages concerning flash saying MS win.10 cant install the Flash update?
> It is puzzling that Microsoft would add a Flash whitelist to its Edge browser considering that Microsoft never fails to highlight Edge’s security features
How about the obvious: user tracking?
more like trucking. someone paid to be on the list no doubt.
Yes, M$ has been selling out security in Edge for money received to whitelist “flashy” websites = it’s like M$ will do anything for money$$$$ = cannot be trusted by computer users since GWX KB3035583 in July 2015.
My take:
1. This discovery makes it even harder to trust Microsoft, a company that has become harder and harder to trust over the years (due to their own bad behavior). At this point, they are almost as bad as Facebook and Google.
2. I’ll never use Microsoft’s Edge browser because of this
3. I wonder if it also accepts flash tracking cookies on all these sites. Probably. What a nightmare.
Almost? They ARE as bad as the other two.
@Tamris:
Yes. Who taught the other two how to be the way they are, after all?
I find it very hard to trust any of the major tech companies these days; there are simply to many blunders and incidents. Google not disclosing a built-in microphone in Nest hardware is just another recent example.
Surely this was never going to be a secret for long.
It appears to have been in Edge for quite some time.
Doesn’t say much for Edge users if none of them noticed.
Those ten Edge users are not security specialists.