Flash in Windows 8 RTM build is missing latest fix

Sep 08, 2012 by Nancy Owano report
Windows 8 screenshot

(Phys.org)—Microsoft architects must wake up to the smell of burning blogs once again. While not everyone may have or want Windows 8, the situation is neither good for branding nor at all good for the people who do have Windows 8. Windows 8 already has security vulnerabilities, where the Windows 8 built-in Internet Explorer puts users at risk of exploitation via the Flash plugin. Windows 8 for PCs won't be available until next month, so who would this affect? Windows 8 has been released to hardware manufacturers. Some users also may have Windows 8 for evaluation purposes.

Last month, Adobe had released a batch of critical for Flash Player. Those updates were available for browsers but Microsoft has yet to release the update for IE10 in 8. That will not happen until well into October.

The problem is that Flash is built right into IE10. How convenient? How inconvenient, as only Microsoft can deliver updates, and users may have to wait for them. The Internet Explorer 10's bundled Flash leaves users exploitable, and the flaw may cause Flash to crash, with the wresting control over the system. How could that happen? The answer appears to be in the timing between Adobe and Microsoft responses.

The troublesome version of Flash, now out of date, was baked into Windows 8. Microsoft decided to add Adobe's Flash Player to the browser as a built-in component instead of as a third-party plugin. So when Adobe patched Flash on August 21 to resolve what they knew were known , the standalone version used by Firefox could be patched but not the embedded version in Internet Explorer.

Microsoft is aware of the timing disconnect. According to a Microsoft response, while the current version of Flash in the "Windows 8 RTM build" does not have the latest fix, a security update will come through Windows Update in the GA timeframe.

RTM refers to release to manufacturing. A GA timeframe is a reference to general availability. The timeframe refers to the target date of October 26 when Windows 8 will go on sale.

Critics note that in doing so Microsoft is talking about fixing something two months after Adobe released its critical security update for the same problem. That puts a user of Windows 8 in danger. "If you're using Internet Explorer 10 on any version of Windows 8, including the RTM bits available via MSDN or TechNet and the enterprise preview, you are at risk." warned Ed Bott on ZDNet.

Adobe had already classified this as an important patch. Its statement said, "This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours)."

The Flash security flaw in this instance involves Windows 8 which is not yet in widespread use. Still, technology watchers hope the situation sends a stronger message: Users will always appreciate aligned timing between Adobe and Microsoft when it comes to browser updates and patches. Outside Microsoft, several technology sites are advising early Windows 8 users, for now, to disable the built-in .

Explore further: Hackathon team's GoogolPlex gives Siri extra powers

Related Stories

Adobe confirms zero-day danger in Reader and Acrobat

Dec 07, 2011

(PhysOrg.com) -- Adobe on Tuesday issued a critical security advisory for Adobe Reader and Acrobat. A vulnerability was detected and confirmed in Adobe Reader X (10.1.1) and earlier versions for Windows and ...

Microsoft releases Windows Server 2012

Sep 04, 2012

(AP)—Microsoft Corp. on Tuesday is releasing the first major update to its server operating system since 2009, a prelude to releasing Windows 8 to consumers in October.

Recommended for you

Hackathon team's GoogolPlex gives Siri extra powers

8 hours ago

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 16

Adjust slider to filter visible comments by rank

Display comments: newest first

eMJayy
5 / 5 (6) Sep 08, 2012
This blunder is definitely Microsoft's fault, not Adobe's. Google has been integrating flash into its Chrome browser for quite a while, and they've successfully and consistently managed to work with Adobe to get updates to users in a very timely fashion.

In fact, many times I've actually gotten the flash update in Chrome a day earlier than it becomes available via the Adobe website. If Google can maintain this punctuality for so long without fail, Microsoft has no excuse for not being able to do the same.

ValeriaT
1 / 5 (4) Sep 08, 2012
It's no secrecy that Flash is updated every few weeks due to variable security vulnerabilities. But at the moment, when you burn the distribution media, you cannot update the Windows image. And what the Microsoft is supposed to do - to distribute Windows at rewritable DVD media and to rewrite them at the moment, when Adobe decides to issue a new hotfix? It's just another reason why NOT to distribute the Windows with software of third parties at any price - despite the technobabbling of competition about alleged MS monopoly and similar stuffs. It's SW and private property of Microsoft - so IT is the only one, who is responsible for its content and who has full rights to decide, what will be supported with it or not.
Deathclock
1.5 / 5 (8) Sep 08, 2012
Exactly, Flash is NOT a Microsoft technology, and it is not Microsoft's responsibility to fix its security vulnerabilities... IMO just ship W8 with whatever the most recent version of flash happens to be when they burn (or press)the discs and then it's up to the consumer to update flash as necessary, as we all already have to do pretty much weekly because it's a piece of shit to begin with!
BSD
1.7 / 5 (6) Sep 08, 2012
HA HA HA HA HA ...... :p

The comedy of errors continues......
John_Dellysse
5 / 5 (5) Sep 08, 2012
Wow microsoft making life more difficult for it's customers I can't believe it...........
Kafpauzo
5 / 5 (1) Sep 09, 2012
They recommend disabling the built-in Flash player? What for? That's just a very temporary stopgap measure. In no time you're back with new problems. The only good solution is to disable the built-in Windows player and use a better operating system.
Deathclock
1 / 5 (6) Sep 09, 2012
Wow microsoft making life more difficult for it's customers I can't believe it...........


Get this through your thick skull.. flash is NOT A MICROSOFT PRODUCT. IT IS NOT THEIR RESPONSIBILITY TO PATCH SECURITY VULNERABILITIES IN ANOTHER COMPANIES PRODUCT.
Oysteroid
2.6 / 5 (5) Sep 09, 2012
@Deathclock: If it's not their product, why do they insist on bundling and distributing it with theirs?

Get it through YOUR thick skull (since you like to insult others, I take it you'll love to be insulted too). So get it through you thick skull - if MS left it as a third-party plugin then yes - it would be none of their worries. But, since they distribute, maintain and update it themselves - sorry boys, it's YOUR baby now.
alfie_null
1 / 5 (2) Sep 09, 2012
Flash is a complex piece of software that was probably not designed or built with due consideration to security. It was probably rushed to market, full of bits of "I don't have time to do this the right way" hacks. It unfortunately achieved success among web site developers and now it's hard to browse without some reliance of flash. I look forward to some time when, e.g. html5 has largely replaced flash.
eric96
2 / 5 (4) Sep 09, 2012
Stupid design choice on Microsoft's part.
Apple does the same thing, but it's OSX and it wants to make sure it works perfectly, at the cost of leaving users vulnerable sometimes taking 2 months. Apple has tremendously improved the time to release since public complaints. Microsoft has no reason embed flash in IE10; it's just an awfully done move. If you're going to copy Apple; don't assimilate and reproduce their mistakes.
Deathclock
1.7 / 5 (6) Sep 09, 2012
@Deathclock: If it's not their product, why do they insist on bundling and distributing it with theirs?

Get it through YOUR thick skull (since you like to insult others, I take it you'll love to be insulted too). So get it through you thick skull - if MS left it as a third-party plugin then yes - it would be none of their worries. But, since they distribute, maintain and update it themselves - sorry boys, it's YOUR baby now.


You have no idea what you are talking about, they don't update it themselves. Every other week I am prompted to update flash... BY AN ADOBE UPDATER APPLICATION. ADOBE updates THEIR product, and on windows 7 at least that update is done through ADOBE software. Windows ships WITH flash as a COURTESY to the customer. Windows ships with quite a few third party applications as a matter of fact, but after the customer installs the OS it is THEIR responsibility to update that software PER THE MANUFACTURER.

Dipshit.
VendicarD
3 / 5 (2) Sep 09, 2012
An imaginary case...

BF Goodrich tires are exploding at highway speeds.

Ford installs the BF Goodrich Tires on their cars.

Would there be a recall or not?

It is not Ford's responsibility to fix the defective tires produced by BF Goodrich, another companies product.

"IT IS NOT THEIR RESPONSIBILITY TO PATCH SECURITY VULNERABILITIES IN ANOTHER COMPANIES PRODUCT." - DeathTard
Deathclock
1 / 5 (4) Sep 09, 2012
An imaginary case...

BF Goodrich tires are exploding at highway speeds.

Ford installs the BF Goodrich Tires on their cars.

Would there be a recall or not?

It is not Ford's responsibility to fix the defective tires produced by BF Goodrich, another companies product.

"IT IS NOT THEIR RESPONSIBILITY TO PATCH SECURITY VULNERABILITIES IN ANOTHER COMPANIES PRODUCT." - DeathTard


You're correct... the liability would fall on BF Goodrich, not on Ford... so you kind of shot yourself in the foot with this example.

What would happen is a class action lawsuit would be filed against Ford AND/OR BFG... but if a lawsuit was filed against Ford then Ford would turn right around and sue BFG... this scenario has actually played out many times.
VendicarD
1 / 5 (1) Sep 10, 2012
Did I make a claim as to who should pay for the recall?

You wish to avoid the point that there would be one.

Why is that?

"You're correct... the liability would fall on BF Goodrich, not on Ford... so you kind of shot yourself in the foot with this example." - DeathTard
Deathclock
1 / 5 (4) Sep 10, 2012
Why is that?


Because the interesting point of contention here is that of fault and liability... what is wrong with you?
VendicarD
1 / 5 (1) Sep 10, 2012
Sorry, but while that may be your take on the matter, the general debate is about production quality, not liability.

"Because the interesting point of contention here is that of fault and liability" - DeathTard

It is going to be fun to watch Ball Boy Ballmer's OS love (W8) child crash and burn.

More news stories

Hackathon team's GoogolPlex gives Siri extra powers

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Better thermal-imaging lens from waste sulfur

Sulfur left over from refining fossil fuels can be transformed into cheap, lightweight, plastic lenses for infrared devices, including night-vision goggles, a University of Arizona-led international team ...

Chronic inflammation linked to 'high-grade' prostate cancer

Men who show signs of chronic inflammation in non-cancerous prostate tissue may have nearly twice the risk of actually having prostate cancer than those with no inflammation, according to results of a new study led by researchers ...