Computerworld - Microsoft's Windows 8 is vulnerable to attack by exploits that hackers have been aiming at PCs for several weeks, Adobe confirmed Friday.
Microsoft said it will not patch the bug in Flash Player until what it called "GA," for "general availability." That would be Oct. 26, when Windows 8 hits retail and PCs powered by the new operating system go on sale.
"We will update Flash in Windows 8 via Windows Update as needed," a spokeswoman said in a reply to questions. "The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe."
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with Internet Explorer 10 (IE10), the new operating system's browser. Microsoft announced that move in late May when it launched the last public sneak-peak of Windows 8, or "Release Preview."
At the time, Dean Hachamovitch, the company's lead executive for IE, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Chrome was the first -- and until Microsoft's move, the only -- browser maker to integrate Flash Player rather than rely on an external plug-in. Google has been providing updated versions of Flash Player with Chrome for more than two years, and usually refreshes its browser with Flash patches the same day that Adobe issues them to the public. In some instances, Google has actually beaten Adobe to the patch punch.
Not so with Microsoft in the case of Windows 8 RTM, or "release to manufacturing," the Aug. 1 milestone that gave the go-ahead for computer makers to start preparing new PCs and for some customers to download, install and start using the upgrade.
Last month, Adobe issued two updates for Flash Player that patched eight vulnerabilities, some of which were ranked as "1" by the company, its highest threat warning. One of the vulnerabilities, tagged as CVE-2012-1535, was patched Aug. 14, but had been exploited for an indeterminate time before that.
In fact, CVE-2012-1535 was one of four "zero-days," or unpatched vulnerabilities, exploited in a 16-week stretch by an elite hacker gang revealed by Symantec researchers on Friday.
Microsoft has not updated the Flash in IE10 within Windows 8 to accommodate those two sets of patches, Adobe confirmed Friday. "Flash Player 11.3.372.94 does not incorporate the fixes released in APSB12-18 and APSB12-19," said Wiebke Lips, a spokeswoman for Adobe, referring to the Aug. 14 and Aug. 21 Flash updates.
Windows 8 RTM's IE10 identifies the integrated Flash Player as version 11.3.372.94, a more recent build than the one in Windows 8 Release Preview, but older than the most-up-to-date version for Windows, 11.4.402.265, which Adobe delivered on Aug. 21.
Adobe actually told some users about Windows 8's Flash situation two weeks ago.
On an Adobe support forum, a company representative announced on Aug. 23 that there would be no Flash update for Windows 8 and IE10 until late October. "Since Windows 8 has not yet been released for general availability, the update channel is not active," said Chris Campbell, identified as an Adobe employee. "Once this goes live, you'll start getting updates to Flash Player."
It was unclear what Campbell meant by "the update channel is not active," as Microsoft has patched Windows 8, most recently in July when it issued fixes to both Windows 8's Consumer Preview and Release Preview through Windows Update.
Microsoft support engineers have known of the Flash problem on Windows 8 since at least Aug. 25.
Even though users noticed last month that IE10's Flash had fallen behind Adobe's version, it wasn't until this week that ZDNet blogger Ed Bott first reported that Windows 8 users were vulnerable to attack.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
