Bing

Facebook has a secret door open in Edge that allows it to run Flash without the user knowing

2024
Facebook has a secret door open in Edge that allows it to run Flash without the user knowing

Table of contents:

Anonim

Are you worried about the privacy of your data? Well hold on as curves are coming. A security researcher has discovered a flaw affecting Microsoft's web browser, Edge. While he waits for a hotfix to make the jump to the Chromium-based rendering engine, the issues remain for Edge.

The alert, as on other occasions, comes from Google Project Zero, a department in charge of investigating and detecting bugs and gaps in applications and operating systems. And in this case Ivan Fratric, (@ifsecure), has detected a bug in Edge that allows Flash code to be executed without the user knowing about it .

Free Bar for Flash

To get some background, we have to travel back in time to the end of 2018. From Google Project Zero they discovered a white list (white list ) in Edge. It is a list that works the same as the one we can use on _smartphones_, except that instead of using telephone numbers it uses web services.

In total, this list gave our teams free access so that up to 58 websites of all kinds could run code based on Adobe Flashand all of this, of course, without the affected party having any knowledge of it. That was the problem.

"

Microsoft was brought to the attention of the problem, Edge was patched and although they tackled the root of the problem, they were unable to eliminate all the threats They persisted two websites that still had permissions to run Flash.And they were both under the influence of Facebook. These are the two privileged domains:"

  • https://www.facebook.com
  • https://apps.facebook.com
"

This means that any widget that runs on Flash and is included in any of these domains, can violate Microsoft&39;s security measuresIn addition, Fratric himself discovered a new risk through which the clicktorun policy that Edge boasts could be circumvented and that grants control of access to the computer to the user. This is the one that can admit or deny the execution of this type of services. An important security hole, since Flash code could be executed either by these domains or even through a MITM (Man In The Middle) attack."

"

According to the notice on the website, _when you visit a website that tries to load Flash content while browsing with Microsoft Edge starting with Windows 10 Creators Update, you may notice that certain aspects of the website don&39;t work properly the way you expect. This unexpected behavior may be the result of Flash being blocked by default due to the Flash Click-to-Run_ feature. In theory this should be how it works"

A Nail to Edge

This fact is especially serious, as it means that the security and integrity of user data is at risk. And by the way, it contradicts the security policies of Edge, which fights against the fraudulent use of this type of practice.

"

It is a disservice that actions like this do to Edge, a navigator in delicate he alth who already sees how Microsoft has set a death date when in Windows 10 October 2019 Update the new Edge is a reality."

Via | ZDNet Cover Image | iAmMrRob

Bing

Editor's choice

Is HTC losing interest in Windows Phone?

Is HTC losing interest in Windows Phone?

2024
Samsung Ativ Q

Samsung Ativ Q

2024
Images of what could be the new Nokia Lumia EOS

Images of what could be the new Nokia Lumia EOS

2024
Build 2013 devices: waiting for manufacturers

Build 2013 devices: waiting for manufacturers

2024
Back to top button