In 2017, Microsoft changed its Edge browser so that Flash content would be click-to-run (or disabled outright) on virtually every site on the Web. A handful of sites were to be whitelisted, however, due to a combination of Flash dependence and high popularity.
The whitelist was intended to make it easier to move to a world using HTML5 for rich interactive content and to limit the impact of any future Flash vulnerabilities.
But Google figured out how Edge’s whitelist worked (via ZDNet) and found that its implementation left something to be desired. The list of 58 sites (56 of which have been identified by Google) including some that were unsurprising; many of the entries are sites with considerable numbers of Flash games, including Facebook. Others seemed more peculiar; a Spanish hair salon, for example, was listed.
Of these sites, several of them had outstanding, unfixed cross-site scripting bugs. With these flaws, an attacker can inject code into the page and have that code appear to come from the sites in question. This code can, in turn, be used to load Flash content that exploited bugs in the Flash player. Moreover, a number of the sites didn’t support secure connections, meaning that it would be straightforward to tamper with their traffic to similarly inject hostile Flash content.
Google duly reported the bug to Microsoft, and the Patch Tuesday update last week gutted the whitelist. Now, only two domains are allowed to load Flash content—www.facebook.com and apps.facebook.com—and those domains can only load the Flash content when accessed securely over HTTPS. The Flash content also has to be larger than 398×298 pixels, meaning it has to be a major feature of a page rather than something sneaked in to exploit someone.