Microsoft culls secret Flash whitelist after Google points out its insecurity

Enlarge (credit: Aurich Lawson)
In 2017, Microsoft changed its Edge browser so that Flash content would be click-to-run (or disabled outright) on virtually every site on the Web. A handful of sites were to be whitelisted, however, due to a combination of Flash dependence and high popularity.
The whitelist was intended to make it easier to move to a world using HTML5 for rich interactive content and to limit the impact of any future Flash vulnerabilities. At the same time, the list would still allow sites with complex Flash-dependent content to keep on running. If only a few trusted sites can run Flash content by default, it should be much harder for bad actors to take advantage of Flash flaws. A similar approach was adopted by other browsers; Google, for example, whitelisted the top-10 Flash-using sites for one year after switching Chrome to 'click-to-run.'
But Google figured out how Edge's whitelist worked (via ZDNet) and found that its implementation left something to be desired. The list of 58 sites (56 of which have been identified by Google) including some that were unsurprising; many of the entries are sites with considerable numbers of Flash games, including Facebook. Others seemed more peculiar; a Spanish hair salon, for example, was listed.
Read 2 remaining paragraphs | Comments