Microsoft culls secret Flash whitelist after Google points out its insecurity

scottalanmiller

Previously, some 58 sites were given special treatment. Now it's only Facebook.

In 2017, Microsoft changed its Edge browser so that Flash content would be click-to-run (or disabled outright) on virtually every site on the Web. A handful of sites were to be whitelisted, however, due to a combination of Flash dependence and high popularity.

The whitelist was intended to make it easier to move to a world using HTML5 for rich interactive content and to limit the impact of any future Flash vulnerabilities. At the same time, the list would still allow sites with complex Flash-dependent content to keep on running. If only a few trusted sites can run Flash content by default, it should be much harder for bad actors to take advantage of Flash flaws. A similar approach was adopted by other browsers; Google, for example, whitelisted the top-10 Flash-using sites for one year after switching Chrome to "click-to-run."

But Google figured out how Edge's whitelist worked (via ZDNet) and found that its implementation left something to be desired. The list of 58 sites (56 of which have been identified by Google) including some that were unsurprising; many of the entries are sites with considerable numbers of Flash games, including Facebook. Others seemed more peculiar; a Spanish hair salon, for example, was listed.

IRJ

@scottalanmiller said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

Others seemed more peculiar; a Spanish hair salon, for example, was listed.*

Wtf

scottalanmiller

@IRJ said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

@scottalanmiller said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

Others seemed more peculiar; a Spanish hair salon, for example, was listed.*

Wtf

LMAO, some funny stuff, for sure.

IRJ

@scottalanmiller said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

@IRJ said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

@scottalanmiller said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

Others seemed more peculiar; a Spanish hair salon, for example, was listed.*

Wtf

LMAO, some funny stuff, for sure.

I feel like this should be a much bigger deal.... What possible justification could there be for this?

wrx7m

@IRJ said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

@scottalanmiller said in Microsoft culls secret Flash whitelist after Google points out its insecurity:

Others seemed more peculiar; a Spanish hair salon, for example, was listed.*

Wtf

I wonder if it was always a Spanish hair salon or if someone else owned it.