Not sure how many people this will apply to (I am one of them), but in Microsoft’s infinite wisdom, they decided to put a hidden whitelist of domains that could bypass asking for permission to run Flash videos using the Click-to-Run feature.
In Microsoft Windows, there is a file C:\Windows\system32\edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge.
Adobe Flash is one of the most attacked interpreters out there and has multiple vulnerabilities (I am not going to list them as it would take forever). It is scheduled for retirement in December 2020 and replaced with HTML5 video. After this date patches will not be issued and web browsers will cease to support it (you can read a full report over at GHacks).
On the plus side, Microsoft patched this whitelist, and now the only domain in it is Facebook. Why, I ask myself, did someone at Microsoft think this was a good idea and who decided on some of these very dodgy sounding domains, some of which don’t support https?
Most websites now are switching to HTML5 video, so this won’t last much longer, but some corporates may have legacy applications in Flash that cannot be easily rewritten. In this case, they need to assign the resources to rewrite their application and get this malware source out of their infrastructure.
The best advice I can give for all users (irrespective of what browser you use, an individual or a company of any size) is:
- Disable Flash in Microsoft Edge (it’s in the Settings / Advanced in v1809)
- If you have Flash installed on your PC, de-install it now
- If you don’t have Flash installed, don’t install it
- Do not respond to any requests to install it – these are nearly always malware trying to infect your system.
Full story over at Bleeping Computer.
Headline image provided by ShutterStock