Microsoft puts Windows 8 users at risk with missing Flash update

Last month, Adobe released a batch of critical security updates for Flash Player. Those updates are available for every modern browser except one. Microsoft has yet to release the update for IE 10 in Windows 8, and may not do so until next month.
Written by Ed Bott, Senior Contributing Editor

Update, 11-September: Microsoft reverses course, will deliver critical Flash updates "shortly."

If you use Internet Explorer 10 with Windows 8 today, you are exposing yourself to potentially serious security risks.

On August 21, 2012, Adobe released a batch of security updates for its Flash Player. According to the security bulletin, “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

For Windows, Adobe classifies these updates as Priority 1, its highest rating:

This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).

If you use Windows 7 (or earlier) with any modern browser and you’ve enabled automatic updates, you already have the latest Flash security fixes. Ditto if you use a Mac.

But if you’re using Internet Explorer 10 on any version of Windows 8, including the RTM bits available via MSDN or TechNet and the enterprise preview, you are at risk. You cannot manually update the version of Flash baked into IE 10. Only Microsoft can do that.

Microsoft made a bold design decision with Internet Explorer in Windows 8, adding Adobe’s Flash Player to the browser as a built-in component instead of a third-party plugin. That design echoes Google’s decision long ago to include Flash Player in every version of Chrome.

The advantage of this design for Microsoft is that it enables playback of Flash content in the otherwise-plugin-free Windows 8 browser. The bad news is that it adds a bottleneck between Adobe’s updates and browser users.

Google has dealt with this issue by incorporating Flash updates into its automatic browser updates. The Chrome Stable Channel was updated on August 21, 2012 for Windows and Chrome Frame as well as Linux and Mac. The release notes say the build has “a new version of Flash with security and other fixes,” and it points to Adobe’s release notes for Flash Player 11.4.

For IE 10, however, no such update is yet available. I asked a Microsoft spokesperson to confirm that these recent security patches aren’t available, and I got this response:

Security is of course important to us, and we are working directly with Adobe to ensure that Windows 8 customers stay secure. We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.

The “GA timeframe” is October 26, which is more than two months after Adobe released these critical security updates.

This kind of slow response got Apple in big trouble earlier this year. The Flashback malware infected more than 600,000 Macs, roughly 1% of Apple's OS X installed base, using Java software that was included with the operating system and could not be removed:

Apple's update that fixed the Java security hole was released April 3, 2012. That’s 49
days after Oracle released Java SE 6 Update 31 for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard) was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers' Macs.

Sound familiar?

The situations aren’t exactly analogous. Windows 8 users have the benefit of built-in antivirus software and can use third-party security tools that can block in-the-wild exploits. And if you use the immersive (Metro style) browser, Flash is completely blocked from all but a handful of whitelisted sites. But the desktop version of IE 10 is wide open, and having a popular vector for malware with known vulnerabilities that can’t be patched should make anyone nervous.

Technically, Microsoft can argue that Windows 8 isn’t really released yet. It’s been released to manufacturing, but the only copies available to the public are clearly marked as “for evaluation.”

Sorry, that argument doesn’t work with me. One of the things any sensible IT pro should be evaluating in this release is how well Microsoft delivers security updates. Providing this update now would be an excellent demonstration of security response. Instead, it’s a distressing failure in the face of a serious, real-world security issue.

For now, if you are using Windows 8, I recommend that you disable the built-in Flash Player (it can’t be removed) by opening the Manage Add-Ons dialog box, selecting Shockwave Flash Object, and then clicking Disable. Until a patch is available for Internet Explorer 10, you’re better off using another browser.

You can also use ActiveX Filtering (an IE9 feature that has survived into IE10) to block ActiveX and allow it on selected sites in the desktop browser. For details, see the instructions on page 2 of my IE9 FAQ.

Update: In the Talkback section below, several commenters have argued that no one should be using Windows 8 in an environment that would put them at risk and that the terms of use from Microsoft specifically prohibit such use. I beg to differ.

Volume License customers and Microsoft partners are allowed to use the code in production environments. And even subscribers to Microsoft programs are expected to evaluate in the real world.

Here, for example, are Microsoft's guidelines from TechNet. I have boldfaced the scenarios that are allowed and problematic:

TechNet Subscriptions software may be used to evaluate the Microsoft software in the following scenarios:
Install/Uninstall – Time and process required for full, partial or upgrade software install/uninstall processes and system integration.
Recovery – Capacity for software to recover from crashes, hardware failures, or other catastrophic problems.
Security – Defining software’s ability to protect against unauthorized internal or external access.
Compatibility – Gauging software performance in existing or new hardware, software, operating system or network environments.
Comparison – Evaluating software to determine product strengths and weaknesses as compared to previous versions or similar products.
Usability – Assessing satisfaction among end users, observing end user utilization and understanding user interaction scenarios.
Performance – Ensuring software will perform as expected to requirements.
Stability – Estimating individual software’s ability to perform consistently, relative to system demands.
Environment – Determining software settings while software is being evaluated by end users in existing infrastructure. 

You have to use it to evaluate it, people.

And finally, as an anonymous commenter reminds me, Microsoft is aggressively rolling out Windows 8 to its entire workforce. My colleague Mary Jo Foley has even written about this effort: Microsoft IT: How we rolled out Windows 8 to 30,000 users. That sure seems like an opportunity for the bad guys...

Editorial standards