Microsoft Windows users who might be hoping that the coming Windows 8 and Internet Explorer 10 releases might bring a reprieve from the drumbeat of security patches will be disappointed to learn that Microsoft has already released a security advisory affecting both platforms – weeks before their scheduled release.
Yunsun Wee, the Director of Microsoft’s Trustworthy Computing Group announced the availability of Security Advisory 2755801 on Friday.
It concerns security vulnerabilities in – you guessed it – Adobe’s Flash Player running in IE 10 on Windows 8.
According to the Advisory, which was published on Friday, Microsoft said that Flash drivers for Internet Explorer 10 contained vulnerabilities that could allow a remote attacker to use a malicious website that compromised the vulnerabilities, allowing them run malware on the at-risk system.
Even Windows 8 users who don’t use IE 10 could still be vulnerable to attack, because Microsoft Office applications invoke Flash Player in IE when users click links embedded in documents, email and other mediums, Microsoft said.
The company announced the availability of an update for Flash Player in IE10 on all supported versions of Windows 8 and Windows Server 2012. The update replaces vulnerable Flash libraries for IE 10 with patched versions.
In her blog post, Wee said that most Windows 8 users will get the necessary IE 10 file updates through Windows Update. She also acknowledged that Microsoft has its hands tied when addressing vulnerabilities in third party components like Flash.
Wee said Microsoft is “working closely” with Adobe to “deliver quality protections that are aligned with Adobe’s update process.”
The company also said it will coordinate its disclosure and release cycle with Adobe’s quarterly updates and issue updates out of cycle if necessary to keep in line with emergency patches from Adobe.
The vulnerability in IE 10 and Windows 8 isn’t likely to have a large impact for now, as both products are in a pre-release state and are used by only a tiny population of enthusiasts, third party developers and beta testers.
That will change on October 26th, the scheduled release date for Microsoft’s latest Windows version – a major makeover of its franchise product.
The company is coming off a bruising week in which it was forced to scramble to patch a widespread and remotely exploitable vulnerability in its Internet Explorer web browser.
That vulnerability was discovered in the wild by an independent security researcher, and was already being used in attacks on Windows users.