Microsoft's Edge web browser users a secret Flash whitelist that allows Flash content to run without click to play protection on included sites.
Microsoft Edge, the default browser of Microsoft's Windows 10 operating system, supports Adobe Flash natively. Flash is set to click-to-play in the browser, and users may disable Flash entirely in the browser's settings.
Microsoft releases Flash updates regularly on the company's monthly patch day to fix security issues discovered in Flash.
It came to light recently that Microsoft implemented a Flash whitelist that allowed Flash content to run on 58 different domains without user interaction. Sites on that list included Deezer, Facebook, the MSN portal, Yahoo, or QQ but also entries that one would not necessarily expect on such a list like a Spanish hair salon.
Microsoft limited the list on this month's Patch Tuesday update to just two Facebook entries and enforced the use of HTTPS for these sites after a Google engineer filed a bug report with the company in late 2018.
Microsoft obfuscated the list and the Google engineer had to crack it using a dictionary of known and popular domain names.
According to the bug report, Flash content is allowed to load if it is hosted on one of the whitelisted domains or if the Flash element is larger than 398x298 pixels.
Attackers could exploit the list to bypass click to play policies entirely or use XSS vulnerabilities on some of the included sites. Microsoft Edge respects Flash click to play policies on all other sites. Users need to allow the execution of Flash content in Microsoft Edge on non-whitelisted sites.
It is unclear why Microsoft added the whitelist; it is possible that it did so to improve compatibility on select sites. While that would make sense on major sites like Flashbook that still host Flash content, it is unclear which parameters Microsoft used to create the list.
The list features some arcade sites that host Flash games, but does not list equally popular arcade sites that also host Flash games. It is puzzling that some sites are on the list while other are not. It is possible that some sites were added
We contacted Microsoft for comment but have not heard back yet. We will update the article if additional information comes to light.
It is puzzling that Microsoft would add a Flash whitelist to its Edge browser considering that Microsoft never fails to highlight Edge's security features. Allowing sites to run Flash content without user permission is highly problematic from a security point of view even on popular sites.
Taking away control and not disclosing the fact to users is highly problematic not only from a security point of view but also when it comes to trust.
Now You: What is your take on this?
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.