If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Serious vulnerability in Edge
Not a cause for panic, but worrisome for people who use Edge:
https://www.zdnet.com/article/micros...d-users-backs/ Nutshell: Edge has a hidden whitelist that allows major sites to run Flash regardless of settings, it can run in relatively insecure http, and any cross-site scripting weaknesses on those sites could be a risk. In other words, the worst security risk ever, aside from javascript itself, is not being blocked, even if you think it is. |
Ads |
#2
|
|||
|
|||
Serious vulnerability in Edge
Mayayana wrote:
Not a cause for panic, but worrisome for people who use Edge: https://www.zdnet.com/article/micros...d-users-backs/ Nutshell: Edge has a hidden whitelist that allows major sites to run Flash regardless of settings, it can run in relatively insecure http, and any cross-site scripting weaknesses on those sites could be a risk. In other words, the worst security risk ever, aside from javascript itself, is not being blocked, even if you think it is. I thought by now and a lot earlier that users would've disabled Flash support in Edge. https://www.laptopmag.com/articles/d...0-edge-browser Both Firefox and Chrome still have Flash support, but I disabled that long ago. |
#3
|
|||
|
|||
Serious vulnerability in Edge
"VanguardLH" wrote
| | I thought by now and a lot earlier that users would've disabled Flash | support in Edge. | If I understood it correctly, the point here is that it bypasses whatever setting you might choose. |
#4
|
|||
|
|||
Serious vulnerability in Edge
Mayayana wrote:
"VanguardLH" wrote | | I thought by now and a lot earlier that users would've disabled Flash | support in Edge. | If I understood it correctly, the point here is that it bypasses whatever setting you might choose. From what I read, the vulnerability exists if you set the web browser to show a placeholder and expect to use Click-n-Play to run the Flash script. What the article you referenced said was: The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand. and: Ivan Fratric, the Google Project Zero security researcher who found the this whitelist, described the security flaws he found as follows: - An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains]. - There are already *publicly known* and *unpatched* instances of XSS vulnerabilities on at least some of the whitelisted domains. - The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy. It is the Click-to-Play feature aka policy that is getting bypassed. There is no mention if disabling Flash is also bypassed, so it appears those who disable Flash (forcing the site to deliver HTML5 video or refusing any Flashing content) are not affected by the buried whitelist. Since sites, even Youtube, have been migrating to HTML5 video, and especially because Adobe is dropping support for in it 2020, users shouldn't need Flash at all. There are still some sites that have Flash content but often they also have HTML5 video content. There are game sites that still require Flash but they'll die off in 2020 unless they move to HTML-coded games. This isn't conjecture. Adobe has themself announce Flash will have funeral services In July 2017, Adobe announced[15] that it would end support for Flash Player in 2020, and continued to encourage the use of open HTML5 standards in place of Flash. (https://en.wikipedia.org/wiki/Adobe_Flash_Player) Also see: https://theblog.adobe.com/adobe-flash-update/ ("we will stop updating and distributing the Flash Player at the end of 2020"). After the first 3 horses cross the finish line, you don't have to hang around waiting to see who came in last. Users don't have to wait to disable Flash in their web browsers. If you enable Click-to-Play mode for Flash, sites can still see the web browser has Flash support; i.e., the Flash fingerprint still exists and the site can still deliver Flash if it has a choice between Flash and HTML5 video for the same content. If you completely disable Flash, sites can't see whether the visiting client supports Flash or not. There are sites you can use to test what client fingerprints a site can determine. Enable Click-to-Play and the test shows the site can see your client has Flash support. Disable Flash and the site reports that your client doesn't have Flash support. https://www.whatismybrowser.com/dete...lash-installed Of course, that Flash is vulnerable is not news to visitors here and most here should've already disabled it, not just prompt for when to use it. The horde of common users don't visit here, so they aren't the type to alter the config of their web browser nor would they know about the vulnerability where Click-to-Play can get bypassed. So, we're discussing amongst the already educated what the uneducated are afflicted. Since Flash is something that I would immediately disable after installing a web browser (as part of visiting all of its settings), I can't say if Flash is enabled or disabled by default in which web browsers. If Flash is disabled, the Click-to-Play option is void. |
#5
|
|||
|
|||
Serious vulnerability in Edge
"VanguardLH" wrote
| From what I read, the vulnerability exists if you set the web browser to | show a placeholder and expect to use Click-n-Play to run the Flash | script. What the article you referenced said was: | Thanks. On a reread your interpretation sounds right. The headline talks about "bypassing normal security policies" and they never explicitly said it was only Click-n-Play. So I'd assumed they also meant it would run Flash even if you had disabled it. I've never actually had Flash installed on any computer, so I didn't realize the only way to stop it was Click-n-Play. It gets complicated. Flash used to be controllable by not allowing ActiveX, but since Edge doesn't support ActiveX, I assume they either made an exception for Flash while removing the settings for ActiveX, or they're using a different kind of executable to run Flash in Edge. |
#6
|
|||
|
|||
Serious vulnerability in Edge
On 02/21/2019 05:05 AM, Mayayana wrote:
"VanguardLH" wrote | From what I read, the vulnerability exists if you set the web browser to | show a placeholder and expect to use Click-n-Play to run the Flash | script. What the article you referenced said was: | Thanks. On a reread your interpretation sounds right. The headline talks about "bypassing normal security policies" and they never explicitly said it was only Click-n-Play. So I'd assumed they also meant it would run Flash even if you had disabled it. I've never actually had Flash installed on any computer, so I didn't realize the only way to stop it was Click-n-Play. It gets complicated. Flash used to be controllable by not allowing ActiveX, but since Edge doesn't support ActiveX, I assume they either made an exception for Flash while removing the settings for ActiveX, or they're using a different kind of executable to run Flash in Edge. This link to a more complete article https://bugs.chromium.org/p/project-...detail?id=1722 was posted to alt.os.linux yesterday. The secret whitelist used to contain 58 entries. But now it's "fixed" - The whitelist was trimmed down to just 2 entries: 5e50a8b6afbcc3d33e38f30ba7a29542261e1191631481adbb 7ef36bc63dc768:1:https://www.facebook.com f363c150f2c13e39b50ff011438b4ba54ce67a433dd0f2cce9 caa33dd3e3e0e4:1:https://apps.facebook.com |
#7
|
|||
|
|||
Serious vulnerability in Edge
On 2019-02-20 17:13, Mayayana wrote:
Not a cause for panic, but worrisome for people who use Edge: https://www.zdnet.com/article/micros...d-users-backs/ Nutshell: Edge has a hidden whitelist that allows major sites to run Flash regardless of settings, it can run in relatively insecure http, and any cross-site scripting weaknesses on those sites could be a risk. In other words, the worst security risk ever, aside from javascript itself, is not being blocked, even if you think it is. If I understand correctly, this problem goes completely away if you don't use Edge, whether or not Flash is installed or had even come within 100 metres of the computer in question. Correct? |
#8
|
|||
|
|||
Serious vulnerability in Edge
"Panthera Tigris Altaica" wrote
| If I understand correctly, this problem goes completely away if you | don't use Edge, whether or not Flash is installed or had even come | within 100 metres of the computer in question. Correct? Yes. It's Edge-specific. Though if someone knows enough not to use Edge, despite Microsoft's prodding, then they probably know enough not to use Flash. But I guess some people use click-to-run Flash in FF. The difference is that MS has created an exception list for Edge, presumably to make things appear to run more smoothly for people who don't understand that they need to click an icon for it to work. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|