By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Microsoft's Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent. According to the initial bug report filed by Google Project Zero's Ivan Fratric on November 26: In Microsoft Windows, there is a file edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge. The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list. In his bug report, the security researcher also highlighted the security implications of having a Flash autorun whitelist bundled with a web browser, especially given the number of Flash security patches issued by Adobe almost every month. However, back in November, the security researcher initially found in the whitelist the sha256 hashes of 58 domains on Windows 10 v1803, which he was able to decrypt and obtain the names of 56 sites. The choice to encrypt the entries added to the whitelist and the decision to keep Facebook's domains whitelisted even after this month's Patch Tuesday are two other questions that only Microsoft can answer. While Microsoft managed to get around to partially address the issue reported by Fratric back in November 2018, the security researcher is still dumbfounded by Redmond's choice to use a Flash whitelist in the first place. We have the contents of the hidden whitelist posted on OUR FORUM.

At the Galaxy Unpacked event, the South Korean smartphone maker Samsung announced the highly anticipated foldable phone, the Galaxy Fold. Samsung Galaxy Fold packs a large 7.3-inch Infinity Flex Display that allows the device to switch between the tablet and phone mode. At the event, Samsung showed off the Galaxy Fold switching flawlessly between phone and tablet mode. The foldable device can run three apps at once and Samsung’s app continuity system will adjust these apps when you unfold or fold the device. Samsung has worked with Google and the community developers to optimize the apps for its foldable phone. At the event, Samsung revealed that its Galaxy Fold device is configured to work with all popular apps and even the Microsoft Office suite. The software and hardware have been optimized to work with apps like Google Maps WhatsApp, as well as the Microsoft Office productivity suite. Microsoft Office apps have been specially adapted to work with the 7.3-inch display and it will be able to adjust the interface quickly when you move between the two form factors. Samsung’s first foldable is simply called the Galaxy Fold. It has a 7.3-inch Infinity Flex screen when opened and it switches to a 4.6-inch screen when it’s folded. The resolution of the giant display is 1536 x 2152 and it reduces to 840 x 1960 when it’s folded. Samsung Galaxy Fold uses two batteries and while they are separated by the fold, they are combined when you boot the operating system. Full details can be found on OUR FORUM.

Microsoft will begin rolling out SHA-2 standalone updates for Windows 7 and Windows Server 2008 in March in preparation for its July 16 implementation deadline. Windows 7 and Windows Server 2008 users need to have SHA-2 code-signing installed by July 16, 2019, in order to continue to get Windows updates after that date. Microsoft issued that warning on February 15 via a Support article. Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to prove authenticity. A bug going forward, due to "weaknesses" in SHA-1, Microsoft officials have said previously that Windows updates will be using the more secure SHA-2 algorithm exclusively. Customers running Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 must have SHA-2 code-signing support installed by July 2019, Microsoft officials have said. Microsoft has published a timeline for migrating these operating systems to SHA-2, with support for the algorithm coming in standalone updates. On March 12, Microsoft is planning a standalone update with SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1. It also will deliver to WSUS 3.0 SP2 the required support for delivering SHA-2 updates. Microsoft will make available a standalone update with SHA-2 code sign support for Windows Server 2008 SP2 on April 9, 2019. Learn more by visiting OUR FORUM.

  

Latest Articles