Adobe confirms Windows 8 users vulnerable to active Flash exploits
Baked-in Flash Player in Windows 8's IE10 won't be updated until late October, says Microsoft
Microsoft's Windows 8 is vulnerable to attack by exploits that hackers have been aiming at PCs for several weeks, Adobe confirmed Friday.
Microsoft said it will not patch the bug in Flash Player until what it called "GA," for "general availability." That would be Oct. 26, when Windows 8 hits retail and PCs powered by the new operating system go on sale.
"We will update Flash in Windows 8 via Windows Update as needed," a spokeswoman said in a reply to questions. "The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe."
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with Internet Explorer 10 (IE10), the new operating system's browser. Microsoft announced that move in late May when it launched the last public sneak-peak of Windows 8, or "Release Preview."
At the time, Dean Hachamovitch, the company's lead executive for IE, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Chrome was the first -- and until Microsoft's move, the only -- browser maker to integrate Flash Player rather than rely on an external plug-in. Google has been providing updated versions of Flash Player with Chrome for more than two years, and usually refreshes its browser with Flash patches the same day that Adobe issues them to the public. In some instances, Google has actually beaten Adobe to the patch punch.
Not so with Microsoft in the case of Windows 8 RTM, or "release to manufacturing," the Aug. 1 milestone that gave the go-ahead for computer makers to start preparing new PCs and for some customers to download, install and start using the upgrade.
Last month, Adobe issued two updates for Flash Player that patched eight vulnerabilities, some of which were ranked as "1" by the company, its highest threat warning. One of the vulnerabilities, tagged as CVE-2012-1535, was patched Aug. 14, but had been exploited for an indeterminate time before that.
In fact, CVE-2012-1535 was one of four "zero-days," or unpatched vulnerabilities, exploited in a 16-week stretch by an elite hacker gang revealed by Symantec researchers on Friday.
Microsoft has not updated the Flash in IE10 within Windows 8 to accommodate those two sets of patches, Adobe confirmed Friday. "Flash Player 11.3.372.94 does not incorporate the fixes released in APSB12-18 and APSB12-19," said Wiebke Lips, a spokeswoman for Adobe, referring to the Aug. 14 and Aug. 21 Flash updates.
Windows 8 RTM's IE10 identifies the integrated Flash Player as version 11.3.372.94, a more recent build than the one in Windows 8 Release Preview, but older than the most-up-to-date version for Windows, 11.4.402.265, which Adobe delivered on Aug. 21.
Adobe actually told some users about Windows 8's Flash situation two weeks ago.
On an Adobe support forum, a company representative announced on Aug. 23 that there would be no Flash update for Windows 8 and IE10 until late October. "Since Windows 8 has not yet been released for general availability, the update channel is not active," said Chris Campbell, identified as an Adobe employee. "Once this goes live, you'll start getting updates to Flash Player."
It was unclear what Campbell meant by "the update channel is not active," as Microsoft has patched Windows 8, most recently in July when it issued fixes to both Windows 8's Consumer Preview and Release Preview through Windows Update.
Internet Explorer 10 on Windows 8 desktop relies on a baked-in version of Flash that hasn't been updated to account for some critical bugs, including one hackers have been exploiting for weeks.
Microsoft support engineers have known of the Flash problem on Windows 8 since at least Aug. 25.
Even though users noticed last month that IE10's Flash had fallen behind Adobe's version, it wasn't until this week that ZDNet blogger Ed Bott first reported that Windows 8 users were vulnerable to attack.
Some of the people commenting on Adobe's and Microsoft's support forums, as well as on Bott's blog, argued that Microsoft should be excused for not patching Flash because Windows 8 has not widely shipped. Others disagreed, pointing out that Windows 8 RTM has been available to enterprises with volume licensing agreements for several weeks, and so it has moved beyond the evaluation phase.
Complicating matters, Microsoft has also offered a free 90-day Windows 8 Pro RTM trial since Aug. 15 to anyone willing to download the large file.
Microsoft's situation is reminiscent of Apple's before it decided to dump Flash Player and Java from OS X. When Apple maintained those programs -- at the time both were bundled with all Macs -- it often lagged months behind Adobe and Sun Microsystems, then the owner of Java, in its patching.
"Anytime a company bundles a third-party application, they take on some unsaid but expected responsibility to help their users ensure that even the third-party applications get timely updates," said Andrew Storms, director of security operations at nCircle Security, in an email Friday. "Apple has been the worst [at this] and has clearly shown what not to do."
Some wondered whether the Flash patching gaffe was just a one-off. "Hopefully this is a one time problem," said someone labeled "dicobalt" on a Microsoft support thread two weeks ago.
It's unknown how Microsoft will handle updates for Flash after Windows 8 ships next month: The company has said nothing other than it will deliver Flash changes through its own Windows Update service.
In July, however, Microsoft announced it now had the capability to update IE each month if necessary, a break with a years-long tradition of patching the browser only in even-numbered months. The change may be a clue that Microsoft expects to update Flash in IE10 on Windows 8 frequently.
But even a monthly timetable could leave Windows 8 users vulnerable to Flash exploits for weeks unless Adobe or Microsoft, or both, change their update practices.
Microsoft has a monthly patching schedule, called Patch Tuesday, and has rarely gone outside that to issue emergency, or "out-of-band" updates. In the last two years, for instance, it has shipped just one out-of-band patch. Meanwhile, Adobe does not adhere to any set patching schedule for Flash Player.
If Windows 8 had been available from the start of 2012, and Adobe and Microsoft had not adjusted their update ship dates, users would have been vulnerable a total of 77 days through Sept. 11, or about 30% of the year, assuming Microsoft updated Flash on the first-available Patch Tuesday after Adobe released its fixes.
The longest delay of 2012's seven Flash updates would have been 27 days, when Adobe released Flash patches on Feb. 15, the day after Microsoft shipped the month's updates. The second-longest would have been the 21 days between Adobe's Aug. 21 update and next Tuesday's expected patches from Microsoft.
Storms said Microsoft has to do better than that.
"They have to meet the gold standard, which is Chrome," said Storms. "Given Microsoft's relationship with Adobe with respect to MAPP, one would think that Microsoft and Adobe would be in lockstep to deliver patches." Adobe joined the Microsoft Active Protections Program (MAPP) in 2010, through which it shares details on it latest bugs and patches with other security firms.
In this instance, at least, Microsoft is certainly not in step with Adobe.
"Using Windows Update to keep constantly buggy versions of Flash updated is a nice idea, but if you can't deliver in a timely fashion then it doesn't mean a whole lot," said "dicobalt" on Microsoft's support forum.
Until Microsoft patches Flash on IE10 in Windows 8, users can run a different browser -- Chrome or Mozilla's Firefox, for example -- that relies on the up-to-date Windows plug-in.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about security in Computerworld's Security Topic Center.