Microsoft Edge secretly whitelisted sites running Flash Player for Facebook

News by Doug Olenick

Facebook has found itself involved in another controversy, this time a cyber-security researcher has revealed Microsoft Edge allows Flash Player content to be played on Facebook without notifying the user.

Facebook has found itself involved in another controversy, this time a cyber-security researcher has revealed Microsoft Edge allows Flash Player content to be played on Facebook without notifying the user.

Google Project Zero’s Ivan Fratric came across what is essentially a secret whitelist and reported it on 26 November, 2018 and waited the usual 90 days before making his discovery public. In this case, the public disclosure came after Microsoft addressed the issue, CVE-2019-0641, with its February Patch Tuesday rollout. The domains on the list were enabled to play Flash content on Facebook.

What Fratric came across was the binary file C:\Windows\system32\edgehtmlpluginpolicy.bin. This contains the default whitelist of at least domains 58 domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge in Windows 10, he wrote.

The sites that had been whitelisted range from music.microsoft.com to the gaming site www.poptropica.com to www.vudu.com along with two Facebook URLs https://www.facebook.com and https://apps.facebook.com. Post update the list has been whittled down to include only the two Facebook domains.

"The most common permission flag value (1) indicates that the site is allowed to load Flash content if: the Flash content is hosted on the same domain *OR* The element containing Flash is larger than 398×298 pixels as can be seen in FlashClickToRunHelper::DetermineControlAction," he said.

Fratric pointed out the security issues involved with the secret whitelist. An XSS vulnerability on any of the domains would allow bypassing click2play policy. Primarily the unpatched XSS vulnerabilities contained within several of these sites and that the list contained HTTP sites which could allow a man in the middle attacker to bypass the click2play policy.

The overall danger contained in such whitelists was pointed out by Mike Bittner, digital security and operations manager at The Media Trust.  

"Block/blacklists and allow/whitelists can outlive their usefulness within seconds. As soon as new malware surface — and 285,000 new ones are created every day — a blocklist’s utility takes a dive. It’s important to continuously update such lists not only to keep pace with attacks but also to ensure their accuracy so that harmless, legitimate sites aren’t needlessly blocked, he said.

Adobe announced in July 2017 it will end support for Flash in 2020. The application receives a steady stream of security updates and has been banned from many browsers.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike