Windows 10 News and info | Forum
March 20, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Microsoft Edge Secret Whitelist Allows Facebook to Autorun Flash  (Read 22 times)
javajolt
Administrator
Hero Member
*****
Online Online

Gender: Male
United States United States

Posts: 29746


I Do Windows


WWW Email
« on: February 21, 2019, 10:58:42 AM »
ReplyReply

Microsoft's Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent.

According to the initial bug report filed by Google Project Zero's Ivan Fratric on November 26:

Quote
In Microsoft Windows, there is a file C:\Windows\system32\edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge.


The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its www.facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list.

In his bug report, the security researcher also highlighted the security implications of having a Flash autorun whitelist bundled with a web browser, especially given the number of Flash security patches issued by Adobe almost every month.

Quote
This whitelist is insecure for multiple reasons:
 - An XSS vulnerability on any of the domains would allow bypassing click2play policy.
 - There are already *publicly known* and *unpatched* instances of XSS vulnerabilities on at least some of the whitelisted domains, for, example http://www.openbugbounty.org/reports/582253/ and http://www.openbugbounty.org/reports/444528/ and http://www.openbugbounty.org/reports/130555/
 - The whitelist is not limited to http (this wouldn't work anyway as some of the whitelisted domain don't support http at all). Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.


The issue reported by Fratric was partially addressed by Microsoft during this month's Patch Tuesday by trimming the whitelist down to the two Facebook domains and by adding http support as a requirement for all the entries on the whitelist to mitigate the possibility of MITM attacks.

However, back in November, the security researcher initially found in the whitelist the sha256 hashes of 58 domains on Windows 10 v1803, which he was able to decrypt and obtain the names of 56 sites.

You can find all of the 58 entries present in the original Microsoft Edge Flash whitelist below:







The choice to encrypt the entries added to the whitelist and the decision to keep Facebook's domains whitelisted even after this month's Patch Tuesday are two other questions that only Microsoft can answer. While Microsoft managed to get around to partially address the issue reported by Fratric back in November 2018, the security researcher is still dumbfounded by Redmond's choice to use a Flash whitelist in the first place.



Microsoft is not the first one to use a Flash whitelist. During June 2015, NoScript was also found to whitelist a few dozen domains which could execute Flash, Java, and/or JavaScript content while the Firefox add-on was blocking all other domains that weren't on his shortlist from running this type of content.

source
« Last Edit: February 21, 2019, 11:02:04 AM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page March 13, 2019, 03:46:34 AM