How to make non-news into a sensational article.

May 3, 2023 - Programming


Most technology news is, frankly, kind of boring. Occasionally something really neat shows up that can attract people to your failing news website, but otherwise you have to sort of glam it up. A little embellishment there, a paragraph about some unrelated thing that an involved company did a few years ago that made people made there…

An excellent example of this in action is this sensational article.

The article, titled “Microsoft Broke a Chrome Feature to Promote It’s Edge Browser” with a subheading of “Windows borked a feature that let you change your default browser, and some users saw popups every time they opened Chrome. it’s the 1990’s again for Microsoft” Is wildly misleading.

Fundamentally, about a year ago, Chrome added an experimental feature which would force itself as the default browser. A recent update to Windows has broken this.

Now first, Let’s discuss how the browser option works. Basically, within the associations registry keys, there is a “user_choice” key, this has two values, a Hash, and the progID of the associated handler. The intent behind the feature is that the Windows Shell itself is the only thing that “knows” how the generate the hash, and that hash has to match up with the contents in the ProgID value. Additionally, unless running as administrator, modifying the keys is not allowed by default either. The intent behind this is that only the user gets to set what is in the user_choice key.

Now, on to the Chrome feature in question. The experimental feature in question is called “Win10UnattendedDefault”.

The responsible function in the chrome source code is "MakeChromeDefaultDirectly" in shell_util.

The way this works is that they basically reverse-engineered the hashing code in the Shell, extracting a salt value from the shell32 library (GetShellUserChoiceSalt in and duplicating the Hash algorithm and everything. It works around the key not being writable by deleting it; as per a code comment," // Deleting the key works around the deny set value ACL on UserChoice."

This is where the Update comes in. See, being able to delete the key is literally a security exploit. It means user-level applications can literally wipe out the user_choice associations altogether, and write new ones. The Update fixes this flaw by adding a Delete ACL, and either changing the hash algorithm or how it is salted.

This caused Chrome to behave strangely when using the feature. In particular the settings page for associations appears if the Hash doesn’t match, and since the key cannot be deleted, while ProgID can be written, the Hash cannot, so it no longer matches the new value. Trying to run through the association will show the settings screen because it’s invalid for this reason.

Partly because there is very little error handling- it just assumes things like deleting the key succeeded. It’s also possible the hash algorithm may have been altered, though that aspect is unclear. Basically though, we’ve got a long article that turns an update fixing an obvious security flaw that Chrome was exploiting into a strange diatribe about Microsoft pushing Edge, even though Microsoft Edge isn’t even involved.

Better yet, the article contains outright lies.

Gizmodo was able to replicate the problem. In fact, we were able to circumvent the issue just by changing the name of the Chrome app on a Windows desktop. It seems that Microsoft threw up the roadblock specifically for Chrome, the main competitor to its Edge browser.

This is completely fabricated. The name of the Chrome program, or shortcut, is completely unrelated to the problem. This is just completely made up nonsense because they think their readers are morons. The Chrome source code is right there. You can read what it does, and the changes make it literally corrupt the involved settings. Not all readers, of course, are going to be experienced enough to review source code, but one would expect a technology-oriented news website would have the technical review capability to verify what they are saying, not just say whatever the author has decided must be the case, and even make up “testing” they did which they pulled right out of their ass.

Mozilla’s Firefox has its own one-click default button, which worked just fine throughout the ordeal.

This is also complete nonsense. Firefox has NEVER had a “one-click default button”. The Firefox option to Set Default is “one button” but it uses the standard, proper method which loads up the Windows Settings page so the user can set the association up themselves.

This is the sort of journalistic integrity I expect from these sorts of publications, sadly. It seems the aim is not to inform, but to try to make people mad to drive engagement. The article also for some reason has a bunch of unrelated stuff about questionable MS Practices which literally aren’t even relevant here. Chrome was exploiting a bug. Microsoft fixed it. The feature using the exploit broke, but ya’know now arbitrary applications can’t delete your user_choice settings, so that specific thing seems like a good thing to me.

Have something to say about this post? Comment!

Leave a Reply

Your email address will not be published. Required fields are marked *