Microsoft warns of Flash vulnerability on IE 10 and Windows 8

Filed Under: Adobe, Adobe Flash, Internet Explorer, Microsoft, Vulnerability, Windows

Shattered red FMicrosoft Windows users who might be hoping that the coming Windows 8 and Internet Explorer 10 releases might bring a reprieve from the drumbeat of security patches will be disappointed to learn that Microsoft has already released a security advisory affecting both platforms – weeks before their scheduled release.

Yunsun Wee, the Director of Microsoft’s Trustworthy Computing Group announced the availability of Security Advisory 2755801 on Friday.

It concerns security vulnerabilities in - you guessed it - Adobe's Flash Player running in IE 10 on Windows 8.

According to the Advisory, which was published on Friday, Microsoft said that Flash drivers for Internet Explorer 10 contained vulnerabilities that could allow a remote attacker to use a malicious website that compromised the vulnerabilities, allowing them run malware on the at-risk system.

Even Windows 8 users who don't use IE 10 could still be vulnerable to attack, because Microsoft Office applications invoke Flash Player in IE when users click links embedded in documents, email and other mediums, Microsoft said.

The company announced the availability of an update for Flash Player in IE10 on all supported versions of Windows 8 and Windows Server 2012. The update replaces vulnerable Flash libraries for IE 10 with patched versions.

Yunsun WeeIn her blog post, Wee said that most Windows 8 users will get the necessary IE 10 file updates through Windows Update. She also acknowledged that Microsoft has its hands tied when addressing vulnerabilities in third party components like Flash.

Wee said Microsoft is "working closely" with Adobe to "deliver quality protections that are aligned with Adobe’s update process."

The company also said it will coordinate its disclosure and release cycle with Adobe's quarterly updates and issue updates out of cycle if necessary to keep in line with emergency patches from Adobe.

The vulnerability in IE 10 and Windows 8 isn't likely to have a large impact for now, as both products are in a pre-release state and are used by only a tiny population of enthusiasts, third party developers and beta testers.

That will change on October 26th, the scheduled release date for Microsoft’s latest Windows version – a major makeover of its franchise product.

The company is coming off a bruising week in which it was forced to scramble to patch a widespread and remotely exploitable vulnerability in its Internet Explorer web browser.

That vulnerability was discovered in the wild by an independent security researcher, and was already being used in attacks on Windows users.

, , , , , , ,

You might like

One Response to Microsoft warns of Flash vulnerability on IE 10 and Windows 8

  1. JimboC · 726 days ago

    From reading this blog post, it gives the impression that the vulnerabilities in Flash weren’t addressed by Microsoft last week, when actually they were e.g.:

    ---------------------------
    According to the Advisory, which was published on Friday, Microsoft said that Flash drivers for Internet Explorer 10 contained vulnerabilities that could allow a remote attacker to use a malicious website that compromised the vulnerabilities, allowing them run malware on the at-risk system.
    ---------------------------

    From what I can tell, all of the known vulnerabilities were addressed by Microsoft to bring IE 10’s built in Flash Player in line with Adobe’s Flash Player 11.4.402.278.
    Also the release date for Windows 8 is October 26th, 2012 (and not the 25th) according to the following post on the Building Windows 8 blog:
    http://blogs.msdn.com/b/b8/archive/2012/08/01/rel...

    Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.