As I reported last week, Microsoft has chosen tofor the Flash Player code in Internet Explorer 10 until the General Availability of Windows 8 in late October. Those security fixes, which were delivered to users of all other modern browsers on August 21, are not available to Windows 8 users who use Internet Explorer 10.
That means, if you are using Windows 8 in either a production environment or for evaluation purposes, you face an unacceptably high risk of being targeted by in-the-wild exploits aimed at those Flash vulnerabilities.
So what can you do? The obvious alternatives are to stop using Internet Explorer 10 until that update is released, or to stop using Windows 8 altogether. If you choose to use an alternative browser, I recommend that you disable the Shockwave Flash add-on in IE completely. (Other Windows-based browsers use the Flash plug-in, which is up to date. And the ActiveX-based Flash code in earlier versions of Windows, including IE9 in Windows 7, was updated in timely fashion.)
To disable Flash completely, click the gear icon in the upper right corner of the IE 10 window and then click Manage add-ons from the menu:
That opens the Manage Add-ons dialog box, shown below. Select the Shockwave Flash Object add-on and note that it is identified as a Microsoft Windows 3rd party Component. Also note the file date, which is a month before the relevant security fixes were available:
Click Disable, and then click Close. You are now safe from any exploits that rely on vulnerabilities in Flash. Any Flash-based code, legitimate or otherwise, will not run in Internet Explorer 10 when this add-on is disabled.
But what if you prefer to use Internet Explorer, or if your evaluation requires you to test IE using real-world web sites? In that case, you can take advantage of an extremely effective security tool that’s built into Internet Explorer versions 9 and 10.
The feature, called ActiveX Filtering, blocks all ActiveX controls on all domains in Internet Explorer. Because the built-in Flash Player in IE 10 is implemented as an ActiveX control, this feature disables it completely while still allowing you to decide, on a case-by-case basis, when you want to allow a trusted site to display Flash-based content.
To turn on ActiveX Filtering, click the gear icon, click Safety, and then click ActiveX Filtering. The check mark to the left of this setting means it is enabled.
When ActiveX Filtering is enabled, you’ll see this blue icon in the Internet Explorer address bar when you visit any site that uses the ActiveX-based Flash control:
For sites that use Flash to deliver ads or other non-essential content, you can go about your business securely. If you encounter a site that uses Flash to do something meaningful and you trust that site, click the blue icon to display this box.
Click Turn off ActiveX Filtering to allow Flash to work on the current domain. Note that this setting applies to the entire domain and is persistent. If you turn off ActiveX Filtering for example.com, you’ll be able to use Flash-based content on all pages on that domain, in the current session and in future sessions. For sites you don’t anticipate visiting again, you can click the blue icon in the address bar again to re-enable ActiveX Filtering for that domain.
(Of course, ActiveX Filtering blocks all ActiveX controls, not just Flash. That’s a benefit, for the most part, but it might be an issue if you use a corporate server that has proprietary ActiveX controls, or if you use Office 365 or other web services that use Office ActiveX controls.)
If you’re comfortable exploring the registry, you can inspect (and edit) the list of sites that are subject to ActiveX Filtering. Open Registry Editor (Regedit.exe) and look in HKCU\Software\Microsoft\Internet Explorer\Safety\ActiveXFilterExceptions.
This doesn’t have to be a short-term workaround. Given the steady stream of security issues associated with Flash, it might be a prudent strategy for everyday browsing, even after Microsoft finally gets its Flash-patching issues sorted out.