Earlier this week, I was discussing with colleagues the advantages and disadvantages of the Metro and desktop versions of Internet Explorer 10 that are available in Windows 8.
From a security perspective, there is an important difference users should be aware of: the Metro flavour of the browser runs without plug-ins (and ActiveX controls).
As we have discussed several times previously, exploit kits typically target these plug-ins, using vulnerabilities within them to infect the machine. Avoiding plug-ins is therefore a good thing as far as keeping your system secure.
However, things are not always that clear cut. As it happens, IE 10 integrates Adobe Flash Player (including Metro IE), removing the need to install an additional player.
There’s a but… Clue:
In late August, Adobe released a security update (APSB12-19) to address some critical vulnerabilities in Flash Player. Unfortunately, users running IE 10 on Windows 8 have not had this update. Furthermore, as reported last week, they were not even scheduled to get the update until general availability of Windows 8. (Users are unable to manually update Flash Player, leading to some concern and anger on various user forums.)
Therein lies one of the problems of integrating software components in this manner – it can cause undesirable delays in release of security updates. Not good.
Anyway, I was very pleased to read today that this decision appears to have been reversed. I have not been able to find any official Microsoft statement to confirm this, but if it is true, it is a welcome move.Follow @SophosLabs
plug image courtesy of ShutterStock