In 2017, Microsoft changed its Edge browser so that Flash content would be click-to-run (or disabled outright) on virtually every site on the Web. A handful of sites were to be whitelisted, however, due to a combination of Flash dependence and high popularity.
The whitelist was intended to make it easier to move to a world using HTML5 for rich interactive content and to limit the impact of any future Flash vulnerabilities. At the same time, the list would still allow sites with complex Flash-dependent content to keep on running. If only a few trusted sites can run Flash content by default, it should be much harder for bad actors to take advantage of Flash flaws. A similar approach was adopted by other browsers; Google, for example, whitelisted the top-10 Flash-using sites for one year after switching Chrome to “click-to-run.”
But Google figured out how Edge’s whitelist worked (via ZDNet) and found that its implementation left something to be desired. The list of 58 sites (56 of which have been identified by Google) including some that were unsurprising; many of the entries are sites with considerable numbers of Flash games, including Facebook. Others seemed more peculiar; a Spanish hair salon, for example, was listed.
Of these sites, several of them had outstanding, unfixed cross-site scripting bugs. With these flaws, an attacker can inject code into the page and have that code appear to come from the sites in question. This code can, in turn, be used to load Flash content that exploited bugs in the Flash player. Moreover, a number of the sites didn’t support secure connections, meaning that it would be straightforward to tamper with their traffic to similarly inject hostile Flash content.
Google duly reported the bug to Microsoft, and the Patch Tuesday update last week gutted the whitelist. Now, only two domains are allowed to load Flash content—www.facebook.com and apps.facebook.com—and those domains can only load the Flash content when accessed securely over HTTPS. The Flash content also has to be larger than 398×298 pixels, meaning it has to be a major feature of a page rather than something sneaked in to exploit someone.