Microsoft Disables Key Browser Security Feature: A Case for Zero Trust
“I love Adobe’s Flash Player,” said no IT admin anywhere. Flash is the notorious plugin that was required for the viewing of many popular websites such as YouTube until they switched over to the more open and cross-platform compatible standard of HTML5. IT Professionals cheered Adobe’s announcement that Flash will officially come to its End of Life in 2020. Until that date comes and even beyond the official end of life date, websites will still continue to use the outdated and highly vulnerable Adobe Flash platform. Adobe is constantly producing security updates for Flash remote code execution, buffer overflow, among other vulnerabilities and taking one look at the security update page for Adobe’s Flash Player will make anyone’s scroll wheel work overtime. Flash was a necessary evil while no viable alternatives were available. Now that most websites have switched to HTML5, there is no good reason to have this software on computers other than support for legacy applications that were never ported over.
Much to the delight of security practitioners everywhere, along with the announcement that Flash would come to end of life in 2020, most popular browsers including Microsoft’s Edge also announced that they would be disabling Flash by default and require a user to grant explicit permission to allow Flash to run. In this case, even if a user was running a vulnerable version of Adobe Flash, if the user did not explicitly grant permission for a webpage to run Flash, the user would, in theory, be protected by any potentially malicious Flash content. From a network security perspective, this was a great tool to protect users against themselves. It was not a silver bullet solution as users can do unpredictable things and social engineering can cause users to perform undesirable behavior, but it was a definite step in the right direction.
Last November, a Google Security researcher discovered a file (C:\Windows\system32\edgehtmlpluginpolicy.bin) installed on Windows 10 by default with some SHA256 hashes. Upon further examination, the researcher discovered that the hashes corresponded to websites and the file were a list of 58 domains that could bypass Microsoft Edge’s Flash click2play feature and allow sites on the whitelist to load Flash content without the user’s explicit consent. At the time of writing, Microsoft Edge has just over 4% of the browser market share and is the default browser for Microsoft Window 10, non-enterprise editions. This file/feature was not documented anywhere and the security researcher painstakingly decoded the hashes to uncover the 58 whitelisted domains. These domains include several Microsoft properties, Facebook, Deezer music streaming service, Chinese social networking app QQ, and downright odd domains like www.dilidili[.]wang, a Spanish hairdresser dgestilistas[.]es, and Russian-hosted site ok[.]ru. After the responsible disclosure by the Google Security researcher to Microsoft, Microsoft promptly removed almost all of the domains allowed to bypass click2play to just Facebook through a Patch Tuesday update in February. Even having one domain allowed to bypass is concerning for security, but to the average user, having to perform an extra click or two to access their news feed or to check if their middle school friend is finally divorced was too much of a hurdle to overcome.
Although Microsoft has removed most of the domains allowed to bypass click2play, this whitelist should not have existed in the first place. Since Microsoft has been touting Windows 10 to be the most secure Windows ever, it’s incomprehensible that they would disable a key security feature for sites like www.dilidili[.]wang. The potential for abuse does not simply extend to the 58 domains automatically whitelisted before February 2019’s Patch Tuesday, as cross-site scripting attacks could easily leverage this whitelist to bypass traditional security controls to run malicious code. At the time of the Google Security researcher’s report, there were at least a few websites on the whitelist that had publicly known, reported, and unpatched cross-site scripting vulnerabilities. An attacker hosting a website using a cross-site scripting attack could force Microsoft Edge to enable flash by default for a site not on the whitelist, effectively defeating the protections put in place with click2run. Worse yet, Man-in-the-Middle and DNS poisoning attacks could leverage the click2play bypass since many of the sites on the whitelist do not support HSTS and some do not even support HTTPS! The folks in Redmond are the only ones who can answer why this file was put there int eh first place, why a Spanish hairdresser obtained the right to bypass click2play, why these 58 domains were so special, and why Facebook continues to get special treatment. They are unlikely to provide any response, but removing the majority of the domains from the whitelist is an important step.
Microsoft’s strange decision to allow certain websites, including those with unpatched and known cross-site scripting vulnerabilities, highlights the need for zero trust security when users go out to browse the internet. Security and content filtering solutions that simply rely on the DNS record or reputation of a website to make the decision to allow or block access is not adequate to stop this type of threat. DNS and reputation solutions will allow access to a legitimate site and not be able to see the cross-site scripting vulnerability on the page loaded for example through a malicious Flash advertisement. These security solutions are also not equipped to detect or block a DNS poisoning or Man-in-the-Middle attack which will leverage the whitelist to bypass Edge’s click2play.
The only true way to prevent the exploitation of this type of vulnerability is to use a secure web proxy that scans every byte of data without regard to the site’s reputation. This can only be achieved with a security solution capable of performing SSL/TLS inspection at scale since over 80% of internet traffic today is encrypted. A cloud-based proxy is also preferable since users can be protected once they leave the company premises without the need for VPN. When Patch Tuesday rolls around and IT administrators are busy fighting other fires, trusted vendors are able to block known patched vulnerabilities on the same day the patches are released without the need to patch individual systems.
When Microsoft commits a misstep, as they often do, it is important to have proper security controls outside of the Microsoft ecosystem in place to compensate and protect users. Cloud-based/SaaS-based vendors tend to do better in this arena since the cloud is always patched and always running the latest version of the software without IT administrator intervention.