September 8, 2012 report
Flash in Windows 8 RTM build is missing latest fix
(Phys.org)—Microsoft architects must wake up to the smell of burning blogs once again. While not everyone may have or want Windows 8, the situation is neither good for branding nor at all good for the people who do have Windows 8. Windows 8 already has security vulnerabilities, where the Windows 8 built-in Internet Explorer puts users at risk of exploitation via the Flash plugin. Windows 8 for PCs won't be available until next month, so who would this affect? Windows 8 has been released to hardware manufacturers. Some users also may have Windows 8 for evaluation purposes.
Last month, Adobe had released a batch of critical security updates for Flash Player. Those updates were available for browsers but Microsoft has yet to release the update for IE10 in Windows 8. That will not happen until well into October.
The problem is that Flash is built right into IE10. How convenient? How inconvenient, as only Microsoft can deliver updates, and users may have to wait for them. The Internet Explorer 10's bundled Flash leaves users exploitable, and the flaw may cause Flash to crash, with the attacker wresting control over the system. How could that happen? The answer appears to be in the timing between Adobe and Microsoft responses.
The troublesome version of Flash, now out of date, was baked into Windows 8. Microsoft decided to add Adobe's Flash Player to the browser as a built-in component instead of as a third-party plugin. So when Adobe patched Flash on August 21 to resolve what they knew were known security flaws, the standalone version used by Firefox could be patched but not the embedded version in Internet Explorer.
Microsoft is aware of the timing disconnect. According to a Microsoft response, while the current version of Flash in the "Windows 8 RTM build" does not have the latest fix, a security update will come through Windows Update in the GA timeframe.
RTM refers to release to manufacturing. A GA timeframe is a reference to general availability. The timeframe refers to the target date of October 26 when Windows 8 will go on sale.
Critics note that in doing so Microsoft is talking about fixing something two months after Adobe released its critical security update for the same problem. That puts a user of Windows 8 in danger. "If you're using Internet Explorer 10 on any version of Windows 8, including the RTM bits available via MSDN or TechNet and the enterprise preview, you are at risk." warned Ed Bott on ZDNet.
Adobe had already classified this as an important patch. Its statement said, "This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours)."
The Flash security flaw in this instance involves Windows 8 which is not yet in widespread use. Still, technology watchers hope the situation sends a stronger message: Users will always appreciate aligned timing between Adobe and Microsoft when it comes to browser updates and security patches. Outside Microsoft, several technology sites are advising early Windows 8 users, for now, to disable the built-in Flash player.
© 2012 Phys.org