Microsoft puts Windows 8 users at risk with missing Flash update

Microsoft puts Windows 8 users at risk with missing Flash update

Summary: Last month, Adobe released a batch of critical security updates for Flash Player. Those updates are available for every modern browser except one. Microsoft has yet to release the update for IE 10 in Windows 8, and may not do so until next month.


Update, 11-September: Microsoft reverses course, will deliver critical Flash updates "shortly."

If you use Internet Explorer 10 with Windows 8 today, you are exposing yourself to potentially serious security risks.

On August 21, 2012, Adobe released a batch of security updates for its Flash Player. According to the security bulletin, “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

For Windows, Adobe classifies these updates as Priority 1, its highest rating:

This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).

If you use Windows 7 (or earlier) with any modern browser and you’ve enabled automatic updates, you already have the latest Flash security fixes. Ditto if you use a Mac.

But if you’re using Internet Explorer 10 on any version of Windows 8, including the RTM bits available via MSDN or TechNet and the enterprise preview, you are at risk. You cannot manually update the version of Flash baked into IE 10. Only Microsoft can do that.

Microsoft made a bold design decision with Internet Explorer in Windows 8, adding Adobe’s Flash Player to the browser as a built-in component instead of a third-party plugin. That design echoes Google’s decision long ago to include Flash Player in every version of Chrome.

The advantage of this design for Microsoft is that it enables playback of Flash content in the otherwise-plugin-free Windows 8 browser. The bad news is that it adds a bottleneck between Adobe’s updates and browser users.

Google has dealt with this issue by incorporating Flash updates into its automatic browser updates. The Chrome Stable Channel was updated on August 21, 2012 for Windows and Chrome Frame as well as Linux and Mac. The release notes say the build has “a new version of Flash with security and other fixes,” and it points to Adobe’s release notes for Flash Player 11.4.

For IE 10, however, no such update is yet available. I asked a Microsoft spokesperson to confirm that these recent security patches aren’t available, and I got this response:

Security is of course important to us, and we are working directly with Adobe to ensure that Windows 8 customers stay secure. We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.

The “GA timeframe” is October 26, which is more than two months after Adobe released these critical security updates.

This kind of slow response got Apple in big trouble earlier this year. The Flashback malware infected more than 600,000 Macs, roughly 1% of Apple's OS X installed base, using Java software that was included with the operating system and could not be removed:

Apple's update that fixed the Java security hole was released April 3, 2012. That’s 49
days after Oracle released Java SE 6 Update 31 for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard) was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers' Macs.

Sound familiar?

The situations aren’t exactly analogous. Windows 8 users have the benefit of built-in antivirus software and can use third-party security tools that can block in-the-wild exploits. And if you use the immersive (Metro style) browser, Flash is completely blocked from all but a handful of whitelisted sites. But the desktop version of IE 10 is wide open, and having a popular vector for malware with known vulnerabilities that can’t be patched should make anyone nervous.

Technically, Microsoft can argue that Windows 8 isn’t really released yet. It’s been released to manufacturing, but the only copies available to the public are clearly marked as “for evaluation.”

Sorry, that argument doesn’t work with me. One of the things any sensible IT pro should be evaluating in this release is how well Microsoft delivers security updates. Providing this update now would be an excellent demonstration of security response. Instead, it’s a distressing failure in the face of a serious, real-world security issue.

For now, if you are using Windows 8, I recommend that you disable the built-in Flash Player (it can’t be removed) by opening the Manage Add-Ons dialog box, selecting Shockwave Flash Object, and then clicking Disable. Until a patch is available for Internet Explorer 10, you’re better off using another browser.

You can also use ActiveX Filtering (an IE9 feature that has survived into IE10) to block ActiveX and allow it on selected sites in the desktop browser. For details, see the instructions on page 2 of my IE9 FAQ.

Update: In the Talkback section below, several commenters have argued that no one should be using Windows 8 in an environment that would put them at risk and that the terms of use from Microsoft specifically prohibit such use. I beg to differ.

Volume License customers and Microsoft partners are allowed to use the code in production environments. And even subscribers to Microsoft programs are expected to evaluate in the real world.

Here, for example, are Microsoft's guidelines from TechNet. I have boldfaced the scenarios that are allowed and problematic:

TechNet Subscriptions software may be used to evaluate the Microsoft software in the following scenarios:

Install/Uninstall – Time and process required for full, partial or upgrade software install/uninstall processes and system integration.
Recovery – Capacity for software to recover from crashes, hardware failures, or other catastrophic problems.
Security – Defining software’s ability to protect against unauthorized internal or external access.
Compatibility – Gauging software performance in existing or new hardware, software, operating system or network environments.
Comparison – Evaluating software to determine product strengths and weaknesses as compared to previous versions or similar products.
Usability – Assessing satisfaction among end users, observing end user utilization and understanding user interaction scenarios.
Performance – Ensuring software will perform as expected to requirements.
Stability – Estimating individual software’s ability to perform consistently, relative to system demands.
Environment – Determining software settings while software is being evaluated by end users in existing infrastructure. 

You have to use it to evaluate it, people.

And finally, as an anonymous commenter reminds me, Microsoft is aggressively rolling out Windows 8 to its entire workforce. My colleague Mary Jo Foley has even written about this effort: Microsoft IT: How we rolled out Windows 8 to 30,000 users. That sure seems like an opportunity for the bad guys...

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I have been waiting

    To see the update in Windows Update since you cant manually update it anymore...
    • What Windows 8 Users?

      I have yet to see a device on a store shelf that I can lay down my hard earned cash for. I have it dual booted on my workstation so I can get familiar with it but by no stretch of the imagination is this my primary OS yet. I suspect that the 10's of hundreds of "users" out there right now are your typical blogger who wants to get some hands on time with the RTM before they deploy it.
    • For a new OS, that's pretty bad

      Pathetic, even...
      Cylon Centurion
      • Blow away.

        Your like a dry leaf.
        • That sticks to you

          Like glue.

          Cylon Centurion II
    • disable IE.

      Programs and Features -> Windows Components -> Internet Explorer. Uncheck that junk. Go install a real browser that is way more secure and gets updated days/weeks/months ahead of the others. CHROME!!!!!
      Nadia Reilperson
  • A IE10 Flaw, Already!

    Color me surprised! Once again, I will stick chrome, unless MS has found a way to block that..
    • IT is a flaw in flash you idiot

      But Microsoft has to update it. I am sure there will be an update soon for an OS that nobody is really using yet since it has only recently been released to RTM. I do agree that if Microsoft is going to control the use of Flash in IE10 they need to get on the ball and release the patches as soon as the third party makes the patch available.
      • Enough people are using it to be a problem...

        Even Ed said as much in his article. Microsoft wants IT to adopt Windows 8, they have to work hard to prove that the platform is secure enough. Even if this is a low-risk issue, just the perception of Microsoft dragging their heels is bad news.

        I would bet there are enough users of Windows 8 right now that the situation is VERY similar to the one that plagued Mac OS X with Flashback.
      • Not to Point Fingers

        Microsoft made an engineering choice regarding Flash, someone else's technology with quite checkered history. Now Windows 8 is pre-release, meaning you are not really supposed to use it in all but testing contexts. So, who's to blame? I don't care, but it looks as though it's Microsoft who has to run with the baton Adobe passed them last month.

        If I were in the IE10 plug-in/built-in meeting, I hope I would have said we have to have a way to quickly distribute Flash patches. I expect someone actually did say that and someone decided it could wait.

        The reality is that the bad guys are far more agile than our browser providers, so quick responses are preferred, but no guarantees.
        • And I thought only government bureaucracy was bad

          If private industry does it better, why isn't it? Does it not have a responsibility as well?
        • ADOBE Pre-Selecting Chrome and Google toolbar on it's Flash updates.

          Adobe is pulling an Apple and pre-selecting Google Chrome along with setting it as your default browser and Google toolbar.
          How does this $hit keep happening?

          And thanks to the guy who posted the "if MSFT doesn't find a way to stop it" concerning his choice to use Chrome because of this, as though Chrome has never had a security related patch. Color me surprised you are that naive or biased, Ricardus.
        • RTM isn't pre-release

          it's a kind of limbo, but once it's gold code/RTM, it's not pre-release any more; it's about preparation for general availability. getting security updates right should be higher on the priority list than this.
  • Technically right

    The issue here is really Flash. While the article is true, valid, etc... It puts blame on Microsoft and further trashes Windows 8 on its launch. Windows 8 was so trashed in the media, I expected a bad user experience on a traditional desktop PC. Don't believe everything you read, trust me ;). Sure, there are a few annoyances, a few adjustments to get used to, but it is awesome!
    • Sorry, no

      By committing to include Flash updates as part of the browser, which in turn is part of the operating system, Microsoft accepted that responsibility.
      Ed Bott
      • Yes, Microsoft did accept the responsibility....

        That's why they released the RTM before final release to users. Getting the last kinks worked out. I would dare say that there should be a line drawn between RTM and Final public release.
        • Work out kinks?

          Yesterday I installed the RTM for Windows 8 Enterprise on a machine for testing. This is supposed to be the final version they gave to the manufacturers to install on new machines. After you release to manufacturers is not when you work out the kinks.
          • Work out kinks?

            RTM is what you are calling it. Windows calls it Windows 8 whatever version Evaluation. Check the bottom right of the Desktop UI.
        • Accepting that responsibility

          Doesn't mean they get off the hook.

          If Micro$oft REALLY wants to do the right thing then dump Flash once and for all!!
          Cylon Centurion
          • And this is the right answer.

            100% agree. I dumped Flash 6-7 years ago (kept one browser that could use it). I have not needed it for 2 years.