Microsoft Edge lets Facebook run Flash content without consent

Despite security policies requiring user permission for websites to run Flash content, Microsoft Border has a hidden whitelist that allows Facebook to run Flash code without consent.

As kickoff reported by ZDNet, the whitelist was discovered by Google Project Zero security researcher Ivan Fratic, who also found security flaws involving the whitelist. The flaws include:

An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Wink code on these domains].

There are already publicly known and unpatched instances of XSS vulnerabilities on at least some of the whitelisted domains.

The whitelist is not limited to https. Fifty-fifty in the absenteeism of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.

Microsoft Edge currently relies on a click-to-play policy for Flash, which explicitly requires users permission to run whatever Flash-based content. The secret whitelist allows Facebook to bypass this policy for Flash widgets sized at over 398x298 pixels and are hosted on https://world wide web.facebook.com and https://apps.facebook.com. Every bit ZDNet speculates, this is likely then that Edge will keep to support Facebook's legacy collection of Flash games. However, when reached for annotate, Facebook told ZDNet that it never asked Microsoft to exist added to a whitelist and it has since requested Microsoft to be excluded from the listing.

While the two Facebook domains are the only ones currently included on the whitelist, information technology was much bigger prior to February. When it was originally discovered, the list contained a full of 58 URLs, including entries for Microsoft's own site, forth with Deezer, Yahoo, and more. After the list's discovery, Fratric filed a bug report with Microsoft in November. The whitelist was pared down to the two Facebook URLs with this month's "Patch Tuesday" updates.

While Microsoft didn't comment on the list directly, the company told ZDNet in a statement: "We are nearing the indicate where Flash is no longer part of the default experience in Microsoft Border on whatsoever site and the recent changes in Feb were the next step of the transition plan."

Due to security concerns, all major browsers take implemented "click-to-play" policies regarding Flash content. Adobe, the company behind Wink, has outlined plans to retire it by 2022. Microsoft, meanwhile, has appear plans to switch Edge from its own EdgeHTML engine to Chromium.

This huge Xbox 'Quick Resume' update will give gamers more control

Xbox Insiders Update

This huge Xbox 'Quick Resume' update volition give gamers more command

Microsoft is adding a new feature to Xbox consoles, allowing yous to permanently store up to ii games in a Quick Resume country at all times. The feature is heading out outset to Xbox Insiders in the Alpha testing band before hitting the full general public.