Windows 8 and 8.1 Forums

Win8/IE 10 Flash Securiity Issue

  1. #1

    Posts : 375
    Win 8.1 64bit

    Win8/IE 10 Flash Securiity Issue

    Ed Bott article from ZDNet. Microsoft puts Windows 8 users at risk with missing Flash update | ZDNet
    Microsoft puts Windows 8 users at risk with missing Flash update

    Summary: Last month, Adobe released a batch of critical security updates for Flash Player. Those updates are available for every modern browser except one. Microsoft has yet to release the update for IE 10 in Windows 8, and may not do so until next month.

    By Ed Bott for The Ed Bott Report | September 6, 2012 -- 12:19 GMT (05:19 PDT)


    more +

    If you use Internet Explorer 10 with Windows 8 today, you are exposing yourself to potentially serious security risks.
    On August 21, 2012, Adobe released a batch of security updates for its Flash Player. According to the security bulletin, “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”
    For Windows, Adobe classifies these updates as Priority 1, its highest rating:
    This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).
    If you use Windows 7 (or earlier) with any modern browser and you’ve enabled automatic updates, you already have the latest Flash security fixes. Ditto if you use a Mac.
    But if you’re using Internet Explorer 10 on any version of Windows 8, including the RTM bits available via MSDN or TechNet and the enterprise preview, you are at risk. You cannot manually update the version of Flash baked into IE 10. Only Microsoft can do that.
    Microsoft made a bold design decision with Internet Explorer in Windows 8, adding Adobe’s Flash Player to the browser as a built-in component instead of a third-party plugin. That design echoes Google’s decision long ago to include Flash Player in every version of Chrome.
    The advantage of this design for Microsoft is that it enables playback of Flash content in the otherwise-plugin-free Windows 8 browser. The bad news is that it adds a bottleneck between Adobe’s updates and browser users.
    Google has dealt with this issue by incorporating Flash updates into its automatic browser updates. The Chrome Stable Channel was updated on August 21, 2012 for Windows and Chrome Frame as well as Linux and Mac. The release notes say the build has “a new version of Flash with security and other fixes,” and it points to Adobe’s release notes for Flash Player 11.4.
    For IE 10, however, no such update is yet available. I asked a Microsoft spokesperson to confirm that these recent security patches aren’t available, and I got this response:
    Security is of course important to us, and we are working directly with Adobe to ensure that Windows 8 customers stay secure. We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.
    The “GA timeframe” is October 26, which is more than two months after Adobe released these critical security updates.
    This kind of slow response got Apple in big trouble earlier this year. The Flashback malware infected more than 600,000 Macs, roughly 1% of Apple's OS X installed base, using Java software that was included with the operating system and could not be removed:
    Apple's update that fixed the Java security hole was released April 3, 2012. That’s 49
    days after Oracle released Java SE 6 Update 31 for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard) was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers' Macs.
    Sound familiar?
    The situations aren’t exactly analogous. Windows 8 users have the benefit of built-in antivirus software and can use third-party security tools that can block in-the-wild exploits. And if you use the immersive (Metro style) browser, Flash is completely blocked from all but a handful of whitelisted sites. But the desktop version of IE 10 is wide open, and having a popular vector for malware with known vulnerabilities that can’t be patched should make anyone nervous.
    Technically, Microsoft can argue that Windows 8 isn’t really released yet. It’s been released to manufacturing, but the only copies available to the public are clearly marked as “for evaluation.”
    Sorry, that argument doesn’t work with me. One of the things any sensible IT pro should be evaluating in this release is how well Microsoft delivers security updates. Providing this update now would be an excellent demonstration of security response. Instead, it’s a distressing failure in the face of a serious, real-world security issue.
    For now, if you are using Windows 8, I recommend that you disable the built-in Flash Player (it can’t be removed) by opening the Manage Add-Ons dialog box, selecting Shockwave Flash Object, and then clicking Disable. Until a patch is available for Internet Explorer 10, you’re better off using another browser.
    You can also use ActiveX Filtering (an IE9 feature that has survived into IE10) to block ActiveX and allow it on selected sites in the desktop browser. For details, see the instructions on page 2 of my IE9 FAQ.
    Update: In the Talkback section below, several commenters have argued that no one should be using Windows 8 in an environment that would put them at risk and that the terms of use from Microsoft specifically prohibit such use. I beg to differ.
    Volume License customers and Microsoft partners are allowed to use the code in production environments. And even subscribers to Microsoft programs are expected to evaluate in the real world.
    Here, for example, are Microsoft's guidelines from TechNet. I have boldfaced the scenarios that are allowed and problematic:
    TechNet Subscriptions software may be used to evaluate the Microsoft software in the following scenarios:

    Install/Uninstall – Time and process required for full, partial or upgrade software install/uninstall processes and system integration.
    Recovery – Capacity for software to recover from crashes, hardware failures, or other catastrophic problems. [/QUOTE]

      My System SpecsSystem Spec

  2. #2

    Toronto, Canada. Born in the U.K.
    Posts : 691
    Win 10 Pro + Win 7 Ult SP1 (x64)

    Thanks but Brink beat you to it here in the Windows 8 News section: Microsoft puts Windows 8 users at risk with missing Flash update
    Last edited by Ex_Brit; 07 Sep 2012 at 06:45.
      My System SpecsSystem Spec

Win8/IE 10 Flash Securiity Issue
Related Threads
Hello. I got an unhappy message while sitting down to read my morning news sites and a cup of java. The error i got was 0xc0000034. '0xc0000034' errors and other critical malfunctions can arise when the Windows operating system becomes overloaded with invalid system references, as well...
After updating my pc i started having a well known issue with realtek hd audio and my sound; i had a popup baloon appearing saying 'you just unplugged a device from the audio jack' and then no sound. and then somtimes reapering saying the oposite and got sound again. i found some temporary...
Win8 to Win8.1 Issue (APPS) in Software and Apps
I used windows 8 normally and has apps like steam/origin/avast/ccleaner etc and I have upgraded to windows 8.1 and the icons are still on my desktop(not incl Avast) and can be run but are not available on the start screen and cannot be found by searching via the start screen. Extra info: Using...
For earlier versions of Windows and IE, we set the Flash Player settings.sol file to "read-only" to keep Flash Player configurations consistent for all users. Users are then unable to change their Flash Player settings. However, when launching IE10 in Desktop mode on Windows 8 we are able to...
I give up. When I try to play any kind of video, even an ecard, I see a message that I need to get the latest Flash player version. When I click on the provided Flash icon, I am taken to a page showing me how to figure out why my Flash player is not working. I then find that my Win 8 operating...
Every time I click on a link in IE I get a dialog box asking if I want to "Run, Save, or Save as" some file apparently connected to the link I clicked on. I couldn't find any setting to change this. Can anyone help? Thanks, BobI
Adobe Flash - Install issue in Software and Apps
I cannot seem to install Adobe Flash on my Windows 8 machine. The test image in blank on this Adobe page : Find version The instructions are cumbersome and circular.. multiple links each calling up more and pages, eventually taking you back to where you started, and not one link to actually...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook