Until this month, Microsoft’s Windows 10 Edge browser could skip over its own “Are you sure?” warnings about Flash content on 58 websites, thanks to a bypass list kept hidden from users.
Google Project Zero researcher Ivan Fratric said he stumbled on the list last November when he analysed domain hashes inside the edgehtmlpluginpolicy.bin file.
Fratric eventually resolved 56 of the 58 hashes to be a bypass list of domains that included Facebook, MSN, Deezer, and Yahoo Japan, which all contain some legacy Flash content.
Having a bypass list built into Edge is risky, says Fratric.
Flash is well-known for vulnerabilities, which is why users are regularly reminded either to run it only when necessary or, better still, not run it at all.
Although the setting had limitations (the content must be hosted on the same domain or larger than 398×298 pixels), Fratric said he was alarmed at the reasoning behind having a list of this sort inside Edge that users know nothing about.
Some of the domains didn’t implement HTTPS security, which meant:
Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.
Click-to-run confusion
Although far fewer websites are using Flash than a few years ago, Flash hasn’t disappeared entirely.
As a result, some browsers still have Flash built in, although how each browser supports it varies slightly.
Chrome, Opera and Edge include Flash but disable it by default – users must choose to turn it on, implemented in Edge through something called click-to-run.
(Firefox and Safari don’t have Flash at all by default, so you have to download an Adobe plug-in to get Flash working.)
From Windows 10 version 1703 onwards, running Flash under Edge’s click-to-run setting was deliberately made more inconvenient.
First, you had to enable Flash, and then you’d see a “Do you want to allow Adobe Flash to run on this site?” pop-up every time you came across a site that wanted to use it.
The only way around the recurring pop-ups was to choose the “Always allow” option – except that it now seems Microsoft had a hidden list that would quietly sidestep the pop-up on your behalf for 58 sites.
In February’s Patch Tuesday, Microsoft trimmed the Edge bypass list from 58 entries to just two, both of them Facebook domains, and forced the use of HTTPS.
The issue of Edge running Flash without a pop-up it may go away in due course – Flash is on the chopping block from 2020 – but just how long Flash’s actual Goobye, Farewell and Amen moment will take is anybody’s guess.