Adobe Flash security update *is* coming to IE 10 (reportedly)

Filed Under: Adobe Flash, Featured, Malware, SophosLabs, Vulnerability

Earlier this week, I was discussing with colleagues the advantages and disadvantages of the Metro and desktop versions of Internet Explorer 10 that are available in Windows 8.

From a security perspective, there is an important difference users should be aware of: the Metro flavour of the browser runs without plug-ins (and ActiveX controls).

As we have discussed several times previously, exploit kits typically target these plug-ins, using vulnerabilities within them to infect the machine. Avoiding plug-ins is therefore a good thing as far as keeping your system secure.

However, things are not always that clear cut. As it happens, IE 10 integrates Adobe Flash Player (including Metro IE), removing the need to install an additional player.

There's a but... Clue:

In late August, Adobe released a security update (APSB12-19) to address some critical vulnerabilities in Flash Player. Unfortunately, users running IE 10 on Windows 8 have not had this update. Furthermore, as reported last week, they were not even scheduled to get the update until general availability of Windows 8. (Users are unable to manually update Flash Player, leading to some concern and anger on various user forums.)

Therein lies one of the problems of integrating software components in this manner - it can cause undesirable delays in release of security updates. Not good.

Anyway, I was very pleased to read today that this decision appears to have been reversed. I have not been able to find any official Microsoft statement to confirm this, but if it is true, it is a welcome move.

plug image courtesy of ShutterStock

, , ,

You might like

2 Responses to Adobe Flash security update *is* coming to IE 10 (reportedly)

  1. vicki mckenny · 1083 days ago

    this is really scarey....all the hacking going on.I know virtually nothing about computers, but i am trying to learn, The latest one is about moving you mouse over the nameand delete certain items.I do not use my ticker at i ave to do this , please help !!

  2. Nigel · 1082 days ago

    For now, exposure to this Flash vulnerability is limited only to those users who obtained Windows 8 and IE10 via the MSDN/TechNet releases. The implication is that it wouldn't affect "general" users because Microsoft already plans a patch for the general release version.

    Still, the point in Ed Bott's article is well taken, as he says in his closing paragraph:

    "The decision to incorporate Flash into Windows 8 was a controversial one. It would be ironic if that decision, which was driven by the desire to make Flash more secure and reliable, actually made Windows users less secure."

    The implications of building a proprietary version of Flash into IE10 -- one that can only be updated by Microsoft -- sure sounds like a bozo move. If Microsoft holds to its traditional "Patch Tuesday" schedule and Adobe maintains its schedule of releasing updates on the third or fourth Tuesday, there'll be an exposure window of as much as three additional weeks for all IE10 users after release to general availability. Not good.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.