Serious vulnerability in Edge

Not a cause for panic, but worrisome for people who use Edge:

https://www.zdnet.com/article/micros...d-users-backs/

Nutshell: Edge has a hidden whitelist that allows major sites
to run Flash regardless of settings, it can run in relatively
insecure http, and any cross-site scripting weaknesses on
those sites could be a risk. In other words, the worst security
risk ever, aside from javascript itself, is not being blocked,
even if you think it is.

Mayayana wrote:

Not a cause for panic, but worrisome for people who use Edge:

https://www.zdnet.com/article/micros...d-users-backs/

Nutshell: Edge has a hidden whitelist that allows major sites
to run Flash regardless of settings, it can run in relatively
insecure http, and any cross-site scripting weaknesses on
those sites could be a risk. In other words, the worst security
risk ever, aside from javascript itself, is not being blocked,
even if you think it is.

I thought by now and a lot earlier that users would've disabled Flash
support in Edge.

https://www.laptopmag.com/articles/d...0-edge-browser

Both Firefox and Chrome still have Flash support, but I disabled that
long ago.

"VanguardLH" wrote

|
| I thought by now and a lot earlier that users would've disabled Flash
| support in Edge.
|

If I understood it correctly, the point here is that it
bypasses whatever setting you might choose.

Mayayana wrote:

"VanguardLH" wrote

|
| I thought by now and a lot earlier that users would've disabled Flash
| support in Edge.
|

If I understood it correctly, the point here is that it
bypasses whatever setting you might choose.

From what I read, the vulnerability exists if you set the web browser to
show a placeholder and expect to use Click-n-Play to run the Flash
script. What the article you referenced said was:

The whitelist allows Facebook Flash content to bypass Edge security
features such as the click-to-play policy that normally prevents
websites from running Flash code without user approval beforehand.

and:

Ivan Fratric, the Google Project Zero security researcher who found
the this whitelist, described the security flaws he found as follows:

- An XSS vulnerability on any of the domains would allow bypassing
click2play policy [and running malicious Flash code on these
domains].
- There are already *publicly known* and *unpatched* instances of XSS
vulnerabilities on at least some of the whitelisted domains.
- The whitelist is not limited to https. Even in the absence of an XSS
vulnerability, this would allow a MITM attacker to bypass the
click2play policy.

It is the Click-to-Play feature aka policy that is getting bypassed.
There is no mention if disabling Flash is also bypassed, so it appears
those who disable Flash (forcing the site to deliver HTML5 video or
refusing any Flashing content) are not affected by the buried whitelist.

Since sites, even Youtube, have been migrating to HTML5 video, and
especially because Adobe is dropping support for in it 2020, users
shouldn't need Flash at all. There are still some sites that have Flash
content but often they also have HTML5 video content. There are game
sites that still require Flash but they'll die off in 2020 unless they
move to HTML-coded games. This isn't conjecture. Adobe has themself
announce Flash will have funeral services

In July 2017, Adobe announced[15] that it would end support for Flash
Player in 2020, and continued to encourage the use of open HTML5
standards in place of Flash.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)

Also see: https://theblog.adobe.com/adobe-flash-update/ ("we will stop
updating and distributing the Flash Player at the end of 2020").

After the first 3 horses cross the finish line, you don't have to hang
around waiting to see who came in last. Users don't have to wait to
disable Flash in their web browsers.

If you enable Click-to-Play mode for Flash, sites can still see the web
browser has Flash support; i.e., the Flash fingerprint still exists and
the site can still deliver Flash if it has a choice between Flash and
HTML5 video for the same content. If you completely disable Flash,
sites can't see whether the visiting client supports Flash or not.
There are sites you can use to test what client fingerprints a site can
determine. Enable Click-to-Play and the test shows the site can see
your client has Flash support. Disable Flash and the site reports that
your client doesn't have Flash support.

https://www.whatismybrowser.com/dete...lash-installed

Of course, that Flash is vulnerable is not news to visitors here and
most here should've already disabled it, not just prompt for when to use
it. The horde of common users don't visit here, so they aren't the type
to alter the config of their web browser nor would they know about the
vulnerability where Click-to-Play can get bypassed. So, we're
discussing amongst the already educated what the uneducated are
afflicted. Since Flash is something that I would immediately disable
after installing a web browser (as part of visiting all of its
settings), I can't say if Flash is enabled or disabled by default in
which web browsers. If Flash is disabled, the Click-to-Play option is
void.

"VanguardLH" wrote


| From what I read, the vulnerability exists if you set the web browser to
| show a placeholder and expect to use Click-n-Play to run the Flash
| script. What the article you referenced said was:
|

Thanks. On a reread your interpretation sounds right. The
headline talks about "bypassing normal security policies" and
they never explicitly said it was only Click-n-Play. So I'd
assumed they also meant it would run Flash even if you had
disabled it. I've never actually had Flash installed on any
computer, so I didn't realize the only way to stop it was
Click-n-Play. It gets complicated. Flash used to be controllable
by not allowing ActiveX, but since Edge doesn't support
ActiveX, I assume they either made an exception for Flash
while removing the settings for ActiveX, or they're using a
different kind of executable to run Flash in Edge.

On 02/21/2019 05:05 AM, Mayayana wrote:
"VanguardLH" wrote


| From what I read, the vulnerability exists if you set the web browser to
| show a placeholder and expect to use Click-n-Play to run the Flash
| script. What the article you referenced said was:
|

Thanks. On a reread your interpretation sounds right. The
headline talks about "bypassing normal security policies" and
they never explicitly said it was only Click-n-Play. So I'd
assumed they also meant it would run Flash even if you had
disabled it. I've never actually had Flash installed on any
computer, so I didn't realize the only way to stop it was
Click-n-Play. It gets complicated. Flash used to be controllable
by not allowing ActiveX, but since Edge doesn't support
ActiveX, I assume they either made an exception for Flash
while removing the settings for ActiveX, or they're using a
different kind of executable to run Flash in Edge.

This link to a more complete article
https://bugs.chromium.org/p/project-...detail?id=1722
was posted to alt.os.linux yesterday.

The secret whitelist used to contain 58 entries.
But now it's "fixed"
- The whitelist was trimmed down to just 2 entries:

5e50a8b6afbcc3d33e38f30ba7a29542261e1191631481adbb 7ef36bc63dc768:1:https://www.facebook.com
f363c150f2c13e39b50ff011438b4ba54ce67a433dd0f2cce9 caa33dd3e3e0e4:1:https://apps.facebook.com

On 2019-02-20 17:13, Mayayana wrote:
Not a cause for panic, but worrisome for people who use Edge:

https://www.zdnet.com/article/micros...d-users-backs/

Nutshell: Edge has a hidden whitelist that allows major sites
to run Flash regardless of settings, it can run in relatively
insecure http, and any cross-site scripting weaknesses on
those sites could be a risk. In other words, the worst security
risk ever, aside from javascript itself, is not being blocked,
even if you think it is.


If I understand correctly, this problem goes completely away if you
don't use Edge, whether or not Flash is installed or had even come
within 100 metres of the computer in question. Correct?

"Panthera Tigris Altaica" wrote

| If I understand correctly, this problem goes completely away if you
| don't use Edge, whether or not Flash is installed or had even come
| within 100 metres of the computer in question. Correct?

Yes. It's Edge-specific. Though if someone knows
enough not to use Edge, despite Microsoft's prodding,
then they probably know enough not to use Flash.
But I guess some people use click-to-run Flash in FF.
The difference is that MS has created an exception
list for Edge, presumably to make things appear to
run more smoothly for people who don't understand
that they need to click an icon for it to work.