Internet Explorer 10's bundled Flash leaves users exploitable

Adobe Flash logoEarly users of Windows 8's built-in Internet Explorer may find themselves at risk of exploitation via the Flash plugin, as the version included with Windows 8 is out of date. Adobe patched Flash on August 21 to resolve known security flaws, but the patch can't be applied to Internet Explorer 10.

Internet Explorer 10 bundles Adobe Flash, with Microsoft taking on responsibility for shipping updates to the integrated plugin. One repercussion of this arrangement is that Adobe's patches and autoupdate mechanism can't be used; they can update the standalone version used by Firefox, but not the embedded version in Internet Explorer. The same is true of Chrome; it includes an embedded version of Flash, and the only way to update that is with a Chrome update. Adobe's updater can't touch it.

There has been some chatter on Twitter about this issue since Adobe shipped its most recent patch. Ed Bott at ZDNet asked Microsoft about the issue, and was told:

We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.

"GA" means general availability; it refers to the October 26th date when Windows 8 will go on sale through retail channels. There is a contradiction implicit in this statement; Flash in Windows 8 needs an update now, so plainly Microsoft is not updating it "as needed."

There is a broader underlying issue here. Microsoft's policy is, in general, to release software patches, including Internet Explorer patches, on the second Tuesday of each month. Adobe's is also to release them on Tuesdays—but the third or fourth Tuesday.

If these policies are retained, then there will be a systematic vulnerability window. Microsoft will patch Internet Explorer, and then a week or two later, Adobe will reveal a raft of new Flash security flaws when it patches Flash. Windows users will then have to wait several weeks for Microsoft's next update.

This is plainly not a desirable state of affairs, and we feel it must surely be something that Microsoft and Adobe have considered and addressed somehow. However, the company offered us no comment and no explanation of what the update policy will actually be. Delaying Internet Explorer patches so that they are synchronized with Adobe's releases, or bringing forward Adobe's Patch Tuesday so it is synchronized with Microsoft's, would both be viable options.

Whatever option the companies pick, the lack of policy statement is awkward. Enterprises in particular plan for and around Patch Tuesday; providing predictability to its patching schedule for enterprise users is precisely why Microsoft has a Patch Tuesday in the first place. If the nature of Patch Tuesday is going to change—as it surely must, to avoid regular periods of vulnerability to known flaws—then enterprise customers need to be told.

And given that those same enterprise users have access to Windows 8 already and can be deploying and using it today, waiting for GA to provide a fix is unacceptable. Windows 8 may not be released to everyone just yet, but it has been released to some customers, and that means it needs to be supported now.


Source: Ars Technica

Tags: Adobe, Flash, Internet Explorer, Microsoft

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (16)