The integrated Flash Player system in Internet Explorer 10 for Windows 8 no longer requires whitelisting of sites, relying instead on a Microsoft-provided blacklist.
Microsoft has made a surprising volte-face regarding its stance on Macromedia's Flash Player in Internet Explorer 10, removing the whitelist system it had originally put in place and having the content run everywhere that isn't explicitly blacklisted.
To say Flash Player has had something of a chequered past is understating things a tad: when the software, originally called FutureSplash Animator, was acquired by Macromedia in 1996 it would rapidly rise to become one of the most popular rich-media tools for the growing web, and Macromedia's acquisition by Adobe in 2005 did little to slow this growth. Its ubiquity would prove a double-edged sword for the company, however: the use of rich-media scripting and other clever techniques makes it a complex piece of software, and ne'er-do-wells have been exploiting holes in the software for years as a means of taking control of target systems simply by getting them to visit a dodgy website.
The result is a regular stream of security patches for vulnerabilities, many of which are being actively exploited in the wild before coming to Adobe's attention. Coupled with Adobe Reader, the company's PDF viewing package and another near-ubiquitous piece of software, Adobe Flash has been the cause of many a sleepless night for sysadmins around the world.
The problem came to a head with the launch of Windows 8 and its bundled Internet Explorer 10 web browser. Marking a massive change from previous releases, Microsoft announced that it would be limiting the integrated Flash Player functionality of IE10 to load content only from pre-approved websites. A means of pushing the rival HTML5 rich-media standard - 'the primary experience of the site should be HTML,
' Microsoft states outright in its developer guidance
while enhancing system security, IE10 featured a Compatibility View (CV) list which contained sites allowed to run Flash content. If your site wasn't on the list, you could kiss goodbye to running Flash content.
The news came as a shock to web developers, many of whom accused Microsoft of attempting to kneecap Adobe's Flash in retaliation for the failure of Microsoft's rival Silverlight platform to gain mass market acceptance. It also led to more work: anybody hoping for Windows 8 users to visit their website either had to find an alternative to Flash for their content, or apply for an entry on the CV list by allowing Microsoft to vet their content.
Now, however, Microsoft has all-but admitted it made a mistake. In the latest patch for Internet Explorer 10, which went live on Windows Update today, Microsoft has flipped the Compatibility View list on its head: rather than whitelisting sites that are allowed to run Flash content, it now provides a blacklist of sites that are not.
It's a serious shift for the company, and one which brings it back to the behaviour of older Internet Explorer releases - not to mention that of rival browsers. 'Internet Explorer 10 uses the CV list to block specific sites from running the Flash Player functionality supported in Internet Explorer in the Windows UI,
' the company explains in a statement on the matter. 'Microsoft manages and distributes the CV list and determines which sites go on the list. Decisions are based on security and reliability concerns.
In short, developers need no longer beg Microsoft to allow their Flash sites to run in Internet Explorer 10 on Windows 8 - but, equally, they run the risk of being declared a baddie by Microsoft if their coding isn't up to snuff, and thus far the company has not provided any hints as to how a site would remove itself from the new CV blacklist.
The blacklisting system will automatically run on Internet Explorer 10 on Windows 8 when running with the latest security patches; those who have not upgraded will continue to see Flash content blocked everywhere except those sites whitelisted within the old CV list.