Monday, March 1, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Microsoft Edge lets Facebook run Flash code behind users’ backs

February 20, 2019
in Internet Security
Microsoft Edge lets Facebook run Flash code behind users’ backs
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Microsoft’s Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users’ backs.

The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

You might also like

These four new hacking groups are targeting critical infrastructure, warns security company

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

Prior to February 2019, the secret Flash whitelist contained 58 entries, including domains and subdomains for Microsoft’s main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ, just to name the biggest names on the list.

Microsoft trimmed down the list to two Facebook domains earlier this month after a Google security researcher discovered several security flaws in Edge’s secret Flash whitelist mechanism.

Ivan Fratric, the Google Project Zero security researcher who found the this whitelist, described the security flaws he found as follows:

– An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains].
– There are already *publicly known* and *unpatched* instances of XSS vulnerabilities on at least some of the whitelisted domains.
– The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.

Italic texts are additions made by ZDNet, for clarity.

Fratric filed a bug report with Microsoft last November, and Microsoft delivered a fix with this month’s Patch Tuesday fixes by restricting the list from 58 URLs to only two domains and enforcing HTTPS for all domains included on the list. The bug report also contains the original version of the whitelist, with all the 58 domains.

In its current version, Edge will allow Facebook to execute any Flash widget that has a dimension of over 398×298 pixels and is hosted on the https://www.facebook.com and https://apps.facebook.com domains. Most likely, Facebook is on Microsoft’s Edge whitelist to support the social network’s large collection of legacy Flash games.

For any other Flash widget on any other website, Edge will respect its default click-to-play policy, meaning websites are not allowed to execute Flash without users’ permission, which usually means enabling Flash execution through an address bar icon.

Commenting on Twitter, the Google security researcher showed his surprise on how and who was managing the whitelist, and how it came to be.

“So many sites for which I’m completely baffled as to why they’re there,” Fratric said. “Like a site of a hairdresser in Spain((link: http://www.dgestilistas.es) dgestilistas.es)?! I wonder how the list was formed. And if [the Microsoft Security Research Center] knew about it.”

We’ve sent requests for comment on this issue to both Facebook and Microsoft. We’ll update if the companies want to comment and provide more insight on the matter.

Adobe and major browser makers are set to sunset Flash by the end of 2020, while Microsoft has announced plans to switch Edge from its proprietary EdgeHTML browser engine to Google’s Chromium.

More browser coverage:


Credit: Source link

Previous Post

SAS wants to spread its footprint

Next Post

Machine Learning Series Day 2 (Logistic Regression)

Related Posts

These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill
Internet Security

Privacy Commissioner asks for clarity on minister’s powers in Critical Infrastructure Bill

February 28, 2021
TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit
Internet Security

TikTok agrees to pay $92 million to settle teen privacy class-action lawsuit

February 28, 2021
Cybercrime groups are selling their hacking skills. Some countries are buying
Internet Security

Cybercrime groups are selling their hacking skills. Some countries are buying

February 28, 2021
Why would you ever trust Amazon’s Alexa after this?
Internet Security

Why would you ever trust Amazon’s Alexa after this?

February 28, 2021
Next Post
Machine Learning Series Day 2 (Logistic Regression)

Machine Learning Series Day 2 (Logistic Regression)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

AI And Automation In HR: The Changing Scenario Of The Business
Data Science

AI And Automation In HR: The Changing Scenario Of The Business

February 28, 2021
Machine learning could aid mental health diagnoses: Study
Machine Learning

Machine learning could aid mental health diagnoses: Study

February 28, 2021
Python vs R! Which one should you choose for data Science
Data Science

Python vs R! Which one should you choose for data Science

February 28, 2021
Can Java be used for machine learning and data science?
Machine Learning

Can Java be used for machine learning and data science?

February 28, 2021
These four new hacking groups are targeting critical infrastructure, warns security company
Internet Security

These four new hacking groups are targeting critical infrastructure, warns security company

February 28, 2021
The Time-Series Ecosystem – Data Science Central
Data Science

The Time-Series Ecosystem – Data Science Central

February 28, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • AI And Automation In HR: The Changing Scenario Of The Business February 28, 2021
  • Machine learning could aid mental health diagnoses: Study February 28, 2021
  • Python vs R! Which one should you choose for data Science February 28, 2021
  • Can Java be used for machine learning and data science? February 28, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates