Author Topic: Microsoft Edge Secret Whitelist Allows Facebook to Autorun Flash  (Read 205 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35127
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
Microsoft Edge Secret Whitelist Allows Facebook to Autorun Flash
« on: February 21, 2019, 10:58:42 AM »
Microsoft's Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent.

According to the initial bug report filed by Google Project Zero's Ivan Fratric on November 26:

Quote
In Microsoft Windows, there is a file C:\Windows\system32\edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge.

The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its www.facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list.

In his bug report, the security researcher also highlighted the security implications of having a Flash autorun whitelist bundled with a web browser, especially given the number of Flash security patches issued by Adobe almost every month.

Quote
This whitelist is insecure for multiple reasons:
 - An XSS vulnerability on any of the domains would allow bypassing click2play policy.
 - There are already *publicly known* and *unpatched* instances of XSS vulnerabilities on at least some of the whitelisted domains, for, example http://www.openbugbounty.org/reports/582253/ and http://www.openbugbounty.org/reports/444528/ and http://www.openbugbounty.org/reports/130555/
 - The whitelist is not limited to http (this wouldn't work anyway as some of the whitelisted domain don't support http at all). Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.

The issue reported by Fratric was partially addressed by Microsoft during this month's Patch Tuesday by trimming the whitelist down to the two Facebook domains and by adding http support as a requirement for all the entries on the whitelist to mitigate the possibility of MITM attacks.

However, back in November, the security researcher initially found in the whitelist the sha256 hashes of 58 domains on Windows 10 v1803, which he was able to decrypt and obtain the names of 56 sites.

You can find all of the 58 entries present in the original Microsoft Edge Flash whitelist below:







The choice to encrypt the entries added to the whitelist and the decision to keep Facebook's domains whitelisted even after this month's Patch Tuesday are two other questions that only Microsoft can answer. While Microsoft managed to get around to partially address the issue reported by Fratric back in November 2018, the security researcher is still dumbfounded by Redmond's choice to use a Flash whitelist in the first place.



Microsoft is not the first one to use a Flash whitelist. During June 2015, NoScript was also found to whitelist a few dozen domains which could execute Flash, Java, and/or JavaScript content while the Firefox add-on was blocking all other domains that weren't on his shortlist from running this type of content.

source
« Last Edit: February 21, 2019, 11:02:04 AM by javajolt »