Microsoft eliminates secret Flash whitelist after Google has stressed its insecurity

In 2017, Microsoft changed its Edge browser so that Flash content was clicked to run (or completely disabled) on virtually every website. A handful of sites, however, should be on the white list, because of a combination of dependence on Flash and a great popularity.

The white list was intended to facilitate the transition to a world using HTML5 for rich interactive content and to limit the impact of any future vulnerability related to Flash. At the same time, the list would still allow sites with Flash-dependent content to continue to work. If only a few trusted sites can run Flash content by default, it should be much harder for bad actors to take advantage of Flash's flaws. A similar approach has been adopted by other browsers. Google, for example, has added the top 10 whitelisted sites to Flash for a year after Chrome switched to "click-to-run".

But Google understood how the Edge whitelist worked (via ZDNet) and found that its implementation left something to be desired. The list of 58 sites (including 56 identified by Google), some not surprising; most entries are sites with a considerable number of Flash games, including Facebook. Others seemed more strange; a Spanish hairdresser, for example, has been listed.

Many of these sites had unresolved and unresolved intersite scripting bugs. With these flaws, an attacker can inject code into the page and cause this code to come from the sites in question. This code can, in turn, be used to load Flash content that exploits bugs in the Flash player. In addition, a number of sites do not support secure connections, which means that it would be easy to manipulate their traffic to inject hostile Flash content in the same way.

Google has duly reported the bug to Microsoft and the hotfix update on Tuesday last week cleared the whitelist. From now on, only two domains are allowed to load Flash content, namely www.facebook.com and apps.facebook.com, and these domains can only load Flash content when they are securely accessible via HTTPS. Flash content must also be wider than 398 × 298 pixels, which means that it must be a major feature of the page rather than something stealthy to exploit someone else.