Windows 8 Internet Explorer shipping with vulnerable Flash

Estimated reading time: 2 minutes.

Update 2012Sep22: A Security Advisory published yesterday by Microsoft announced the availability of a patch for Flash in Internet Explorer 10. A related post on the Microsoft Security Response Center blog explains how security updates for Flash in Internet Explorer will be handled in the future. Anyone using Internet Explorer 10 or Windows 8 should install the Flash update as soon as possible.

Update 2012Sep11: Given the negative reaction to Microsoft’s previous announcement that recent Flash vulnerabilities would not be fixed in Internet Explorer 10 until after Windows 8 is released, today’s announcement is perhaps not much of a surprise. Microsoft is now saying that the Flash holes in IE10 will be plugged much sooner than originally announced. However, there will still be an easily-exploited delay between the launch of Windows 8 and the point at which all Windows 8 systems are patched.

Recently, Google switched to an integrated version of Flash in the Chrome web browser. They did this to simplify the update process: Chrome users no longer have to worry about keeping their browser’s Flash plugin up to date.

Microsoft has apparently done something similar with Internet Explorer 10, which is included with Windows 8. Unfortunately, the recent Flash vulnerabilities were not addressed in Internet Explorer 10 when Windows 8 was finalized recently. Which means Windows 8 has at least two very serious security holes in its integrated web browser, out of the box.

Microsoft says that the Flash vulnerabilities in Windows 8’s IE10 will be fixed during the regular patch cycle, but it’s not known exactly when the updates will appear.

Nefarious hackers are no doubt preparing for a surge of new Windows 8 systems to appear on the Internet, all with these rather large holes, ready to exploit.

If you are using Windows 8 or plan to start using it soon, your options are:

  • Stop using Internet Explorer. This isn’t really a viable option, since the browser is integrated into the O/S.
  • Disable Flash in Internet Explorer 10, assuming this is even possible.
  • Avoid all Flash content while using Internet Explorer 10. This is increasingly difficult to accomplish, given the prevalence of Flash content on the web.

About jrivett

Jeff Rivett has worked with and written about computers since the early 1980s. His first computer was an Apple II+, built by his father and heavily customized. Jeff's writing appeared in Computist Magazine in the 1980s, and he created and sold a game utility (Ultimaker 2, reviewed in the December 1983 Washington Apple Pi Journal) to international markets during the same period. Proceeds from writing, software sales, and contract programming gigs paid his way through university, earning him a Bachelor of Science (Computer Science) degree at UWO. Jeff went on to work as a programmer, sysadmin, and manager in various industries. There's more on the About page, and on the Jeff Rivett Consulting site.

Leave a Reply