Microsoft(NASDAQ:MSFT) Edge Secret Whitelist Allows Facebook(NASDAQ: FB) into Autorun Flash #Microsoft_Edge

Microsoft(NASDAQ:MSFT) Edge Secret Whitelist Allows Facebook(NASDAQ: FB) into Autorun Flash #Microsoft_Edge

November 15, 2019 0 By NewsTakers

Microsoft’s Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent.
In Microsoft Windows, there is a file C:\Windows\system32\edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge.
The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its www.facebook.com and apps.facebook.com domains , a policy which is currently enforced for all other domains not present on this list.
In his bug report, the security researcher also highlighted the security implications of having a Flash autorun whitelist bundled with a web browser, especially given the number of Flash security patches issued by Adobe almost every month.
This whitelist is insecure for multiple reasons:
– An XSS vulnerability on any of the domains would allow bypassing click2play policy.
Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.
The issue reported by Fratric was partially addressed by Microsoft during this month’s Patch Tuesday by trimming the whitelist down to the two Facebook domains and by adding HTTPS support as a requirement for all the entries on the whitelist to mitigate the possibility of MITM attacks.
HashCleartext01d004ae59fe9d0902b0e4526999432118199654f78b0384e4eb983e986d562dwww.pogo.com0309388894379c1e0d01081f6f4d5d4412a82dc5b9bd66476de2270b361cecfdwww.wasu.cn0ae9eeba3229fa449ff5fcf42692cad2305e14933a6102187e94c48346ab8c9dwww.tvnow.de0bc8e61a5970eb325f02148c05b79d60a9a0462efc18a6a60b7f8cd2dc84ccbcchushou.tv0bfc80d67c9b57f3f1bb978344c8d8d6ac19786e261f98c1c9735f6ba5ec344cmore2.starfall.com1136593de37540f6f5396fdbbf93aa070c2b1c844d2d3d06de5373831a9df3bfloa.gtarcade.com12055be963e0f2c7786d1283d343afbaac921513a985a21f5f83b6a82b9582e9nseindia.com12c3d9b1a0a1f33a7d7ab1b4ccb53c1163210ee527ad5336175eb40ff1fcfe45N/A2135e9b55346dd4146bbfae6f0cc896a39688d3287a952f63ae222837e5de152www.wgt.com22af4cad3e57873a50693fe36d6385795ae6c56e4d0d759530f263db571a6b2cnetgauge.unitel.ao2df0e6efc506a72a4c9e91ebebe70cf8252f1ffbd8b483043b1a856b75d13ce9www.icourses.cn2f87a652a9d2880a3ad580ec4a91bde3f4d2d32ac8f792d4258518d46330870fwww.la7.it2f9f879f017ebe4d6f71a0755eee3b08a5f757c0d011112ded94e6b337b3b520www.dgestilistas.es348374ff89afe5693015c3d38758c83867c180a8010372a564c8f5eeaf9b5d0bwww.zxxk.com3c23924f2f71c05d3b484fbaaa6e4ab4319d5bb3f0a002688132aa0f8434fd3bweathernews.jp46bdf3a01ab608d1a5e68923532e610ff7725a68d4bb063c96c8dedd4617404abigfarm.goodgamestudios.com4740f56f40ed20eddb576ae29fdf0c507dd06681e949bda8be5611eaf3ad9d3dwww.facebook.com4779eb7f42cc6736ca2b1e52449799705214f2542fa4cf952e741d8dd5efad31www.deezer.com4f5db25a3bd2f1abf3dd1a509b2e1a6d81b9ba4428f333454c29d93e794150bcN/A515563682e9bfc44b6fed4459149f83ba7f207bf53f6a0208156ac7c46e59d92yahoo-mbga.jp51bfa3e340a5ff7dfa37ad7ad409e5a214caadd0f82fc1fef82d38b766c2f088ok.ru563d53ee90b355ebd7558c2d9f3bee94489d406c565f9ed5741fb59bbc734544seer.61.com5b13e0a388860a0f136eefdd36d2f57fb81f46588ca85e7d93a4fd24cf6462f8empire.goodgamestudios.com5e7fc524d10f21da23bc43f24de00967094d69d6f4ccda277fff7042024c3ce5www.friv.com5f832e1442b497050d79cd18b32de807e4201a3181929ade823112defa6c1079video.baomihua.com64e2991629e5e208874400bc1ea0161fb064f1c2397b1cedc3bb282ea3f4ee3bhiztesti.turktelekom.com.tr6793b64c0ccc547a01b8b6982318e25ae3dc0b91dfc09366c7f1f1b3a7fa127ewww.scholastic.com68fc10e638f0bb2e25149d2ef8d3d87cf318bbf2de7c9aa74131d53e926fe79ewww.viz.com881bcca2199248b7c82ed14cb1dbd6e87ac9ea899d1f9f02d13d29e837487782www.dilidili.wang89ac7d2d82b6a2ef952e3d627853180fb250167ed56b893647814e8374d4f5cdgames.aarp.org900da7ee51cf43450699d9cd11e3cf6ba8d2d04d9d836cd359281d7791e328afwww.douyu.com9adea347b4e793529c9a5e1a35e2aa7c88772b7e2a086d2d24a4f8ccbb20e3acrc.qzone.qq.com9c97a59b30e879d3245139795adea4380f62e4e14149025f12f69eb3b532e518www.nicovideo.jpa2cf2fe6a8822459d81d15b1327b5bac601bafc460fafa716bc2dcc21e9ab50ewww.mynet.coma77de76633b0717c62034512fb5c3fbb50633ad9b5ebef7a8acf180e455a3025www.hotstar.comad973e7d68dd2c1a8e9f04886e34db40021e1e76eff3bbc53e7ab8934688a4edwww.4399.comb61f47eb2fc64b2ad7ee4ae780ea0ac1a886b4f02f1ec8da77db13f920b4874bwww.bilibili.comba33c2367ea9f0c66b5b3f345be68a0287a96ca797654c0bf9b2e584d2809ccbwww.msn.comba3bc78ec1f427cba6e22cbd63dae305814ca0f0740c0dbd494f804fcaef671azone.msn.comc2fda282c3b5875eaeb6d27ecf62b995684d5739ba1e4082d265dd28dd98ef70www.worldsurfleague.comca6efef88504373a9406ed9a31b430d6df8bb60ea630ac698b0d7c4dab0faf7awww.stupidvideos.comd833be74b7f95eb0ac133c5aa06c71b7792b5051b1a369740694e78525a4d872entitlement.auth.adobe.comdd0f56a6b1a1f2908f4ff45438ffa5e05679375ed0aade8e3ab36bf4c0bd40f4video.fc2.comdd2ab62df5da52e66844171efc4415a087cc1a8c432312d814a62da582f40e2dwww.ontvtime.ruddf38cb97def571ec55f58d372db15fe6ee01578adc85b1087823d239d758af8apps.facebook.come2f07d2fb0e6beac78d55962dda9ebcedba6c3ba30bf83b0880fae69d29537bfwww.totaljerkface.come35635613116ae9266c41348d2f4978f093c2fe75ae91f010ad23c1be31b833cwww.hungamatv.come39ce3cd42a88216ff9060e8b136bdc153f52322f259321a5925e629659684f8edu.glogster.come4003a967100eb3a92e9148a51e7cd302e6ca4bcc34566c671378a4b0756ef66v.pptv.come4dcd660eae7eeb1ea42050b6dcb108a9bedf1a66e3791438c6abe1efc907e1blife.pigg.ameba.jpe57c8c0083d4ea6fb4b390682d8ad3dffaeda2d37d1c11b9d29418b4a318e1a9www.panda.tve7bce4b54da6dda25cabbe9da2359fe2833c94ec1ce3edd67077a089ed76ef31www.vudu.come9ce06c9a6a05878802f64fac17399cc0a8452c652403445995a90dc9b19401dwww.nseindia.comef7f6be560fb99cff749ac35415beeed4aa86f40e10138858289dde1284661c9music.microsoft.comf2313491b771d1180f9c4e9cf979820e276a7833859555976dbf4a529cb2189fen.ikariam.gameforge.comf4f46a8b3a55ffb3e3784e6743266ed8d7cd2fdd21f494a82e2772fc68590d1bwww.deraktionaer.tvfcb0eec77983791a7eeb971a2320f38cdbac2ca16cf3f418f83a00a4338eafd4www.a1.netfee3af1754656ed83ba706b46c6fa570b020ff79ad84b5adee4882fbf6adaf0ewww.poptropica.com
The choice to encrypt the entries added to the whitelist and the decision to keep Facebook’s domains whitelisted even after this month’s Patch Tuesday are two other questions that only Microsoft can answer.While Microsoft managed to get around to partially address the issue reported by Fratric back in November 2018, the security researcher is still dumfounded by Redmond’s choice to use a Flash whitelist in the first place.
Microsoft is not the first one to use a Flash whitelist.
February 20, 2019 07:48 PM

Adult spanking is a curious thing. I mean, most of us did not like being spanked as children. We dreaded spankings, didn’t we? So, why do so many of us long to be spanked as adults. I think for some of us, it is for sexual pleasure. For others, it is to meet an emotional need. Maybe we feel we deserve it before we enjoy fucking. Some parts of society make women feel we are bad if we enjoy being fucked. So, maybe we feel better about our longing if we are punished first. I will tell you why I want you to spank me.

Source link