Your analogy is not accurate. A vendor is responsible for providing security updates for components that they distribute with their product. If Microsoft provides Flash 6 with Windows XP, then they are responsible for providing Flash 6 security updates for the duration that Windows XP is supported.
In other words, a fully-patched, supported Windows XP system with no additional software installed should be secure to known vulnerabilities.
This liability is probably why Microsoft stopped distributing flash after XP.
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
