Adobe confirms Windows 8 users vulnerable to active Flash exploits
Baked-in Flash Player in Windows 8's IE10 won't be updated until late October, says Microsoft
Computerworld - Microsoft's Windows 8 is vulnerable to attack by exploits that hackers have been aiming at PCs for several weeks, Adobe confirmed Friday.
Microsoft said it will not patch the bug in Flash Player until what it called "GA," for "general availability." That would be Oct. 26, when Windows 8 hits retail and PCs powered by the new operating system go on sale.
"We will update Flash in Windows 8 via Windows Update as needed," a spokeswoman said in a reply to questions. "The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe."
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with Internet Explorer 10 (IE10), the new operating system's browser. Microsoft announced that move in late May when it launched the last public sneak-peak of Windows 8, or "Release Preview."
At the time, Dean Hachamovitch, the company's lead executive for IE, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Chrome was the first -- and until Microsoft's move, the only -- browser maker to integrate Flash Player rather than rely on an external plug-in. Google has been providing updated versions of Flash Player with Chrome for more than two years, and usually refreshes its browser with Flash patches the same day that Adobe issues them to the public. In some instances, Google has actually beaten Adobe to the patch punch.
Not so with Microsoft in the case of Windows 8 RTM, or "release to manufacturing," the Aug. 1 milestone that gave the go-ahead for computer makers to start preparing new PCs and for some customers to download, install and start using the upgrade.
Last month, Adobe issued two updates for Flash Player that patched eight vulnerabilities, some of which were ranked as "1" by the company, its highest threat warning. One of the vulnerabilities, tagged as CVE-2012-1535, was patched Aug. 14, but had been exploited for an indeterminate time before that.
In fact, CVE-2012-1535 was one of four "zero-days," or unpatched vulnerabilities, exploited in a 16-week stretch by an elite hacker gang revealed by Symantec researchers on Friday.
Microsoft has not updated the Flash in IE10 within Windows 8 to accommodate those two sets of patches, Adobe confirmed Friday. "Flash Player 11.3.372.94 does not incorporate the fixes released in APSB12-18 and APSB12-19," said Wiebke Lips, a spokeswoman for Adobe, referring to the Aug. 14 and Aug. 21 Flash updates.
Windows 8 RTM's IE10 identifies the integrated Flash Player as version 11.3.372.94, a more recent build than the one in Windows 8 Release Preview, but older than the most-up-to-date version for Windows, 11.4.402.265, which Adobe delivered on Aug. 21.
Adobe actually told some users about Windows 8's Flash situation two weeks ago.
On an Adobe support forum, a company representative announced on Aug. 23 that there would be no Flash update for Windows 8 and IE10 until late October. "Since Windows 8 has not yet been released for general availability, the update channel is not active," said Chris Campbell, identified as an Adobe employee. "Once this goes live, you'll start getting updates to Flash Player."
It was unclear what Campbell meant by "the update channel is not active," as Microsoft has patched Windows 8, most recently in July when it issued fixes to both Windows 8's Consumer Preview and Release Preview through Windows Update.
Microsoft support engineers have known of the Flash problem on Windows 8 since at least Aug. 25.
Even though users noticed last month that IE10's Flash had fallen behind Adobe's version, it wasn't until this week that ZDNet blogger Ed Bott first reported that Windows 8 users were vulnerable to attack.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!