Internet Explorer 10's bundled Flash leaves users exploitable

Adobe Flash logoEarly users of Windows 8's built-in Internet Explorer may find themselves at risk of exploitation via the Flash plugin, as the version included with Windows 8 is out of date. Adobe patched Flash on August 21 to resolve known security flaws, but the patch can't be applied to Internet Explorer 10.

Internet Explorer 10 bundles Adobe Flash, with Microsoft taking on responsibility for shipping updates to the integrated plugin. One repercussion of this arrangement is that Adobe's patches and autoupdate mechanism can't be used; they can update the standalone version used by Firefox, but not the embedded version in Internet Explorer. The same is true of Chrome; it includes an embedded version of Flash, and the only way to update that is with a Chrome update. Adobe's updater can't touch it.

There has been some chatter on Twitter about this issue since Adobe shipped its most recent patch. Ed Bott at ZDNet asked Microsoft about the issue, and was told:

We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.

"GA" means general availability; it refers to the October 26th date when Windows 8 will go on sale through retail channels. There is a contradiction implicit in this statement; Flash in Windows 8 needs an update now, so plainly Microsoft is not updating it "as needed."

There is a broader underlying issue here. Microsoft's policy is, in general, to release software patches, including Internet Explorer patches, on the second Tuesday of each month. Adobe's is also to release them on Tuesdays—but the third or fourth Tuesday.

If these policies are retained, then there will be a systematic vulnerability window. Microsoft will patch Internet Explorer, and then a week or two later, Adobe will reveal a raft of new Flash security flaws when it patches Flash. Windows users will then have to wait several weeks for Microsoft's next update.

This is plainly not a desirable state of affairs, and we feel it must surely be something that Microsoft and Adobe have considered and addressed somehow. However, the company offered us no comment and no explanation of what the update policy will actually be. Delaying Internet Explorer patches so that they are synchronized with Adobe's releases, or bringing forward Adobe's Patch Tuesday so it is synchronized with Microsoft's, would both be viable options.

Whatever option the companies pick, the lack of policy statement is awkward. Enterprises in particular plan for and around Patch Tuesday; providing predictability to its patching schedule for enterprise users is precisely why Microsoft has a Patch Tuesday in the first place. If the nature of Patch Tuesday is going to change—as it surely must, to avoid regular periods of vulnerability to known flaws—then enterprise customers need to be told.

And given that those same enterprise users have access to Windows 8 already and can be deploying and using it today, waiting for GA to provide a fix is unacceptable. Windows 8 may not be released to everyone just yet, but it has been released to some customers, and that means it needs to be supported now.


Source: Ars Technica

Tags: Adobe, Flash, Internet Explorer, Microsoft

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

The NVIDIA GeForce GTX 1180 will be Turing-based with a 12nm FinFET die shrink
This only works on posts made by profiles that are public
The device will be standalone and based on a Qualcomm chipset
Apple plans on offering a cheaper smart speaker that will be priced at $199
Chrome will adopt a new approach to indicating site security
Data shows they are leading smartphone sale worldwide
Is this an error or it is really happening?
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (10)