Hello, welcome to the Thursday, February 21st, 2019 edition of the Santernut Storm Center's

Stormcast. My name is Johannes Lurich. I'm recording from Jacksonville, Florida.

Google today released details of a problem that Microsoft fixed in Microsoft Edge with its February update.

The problem here is it wasn't really a bug or vulnerability as more an intentional weakness

that was introduced to allow certain websites to run Flash.

Most web browsers have for a while now introduced the concept where in order to run flash

on a website you first have to give that site permission by typically clicking on the

applet before it runs.

Now this particular white list allowed about 58 different websites to run Flash without

asking for permission first.

To make things somewhat more tricky, the list was actually not in clear text.

It was a list of Shah-256 hashes.

Now, given that most of them were well-known websites, brute forcing it, was relatively trivial,

but a lot of sites that are listed here, I had no idea what they actually are.

So you may be a little bit curious about why Microsoft allowed these sites to actually run Flash

without asking for permission.

Another sort of interesting part to this is that yes, Microsoft modified this white list.

They didn't eliminate it.

The only entry that's left now is Facebook.

So Facebook is still allowed to run Flash without user permission.

If the user uses Microsoft Edge, the other thing they sort of fixed, but given it's only two entries, not really all that meaningful.

But the old white list didn't actually even verify whether used HTPS or HDP, so anybody

...