Adobe confirms Windows 8 users vulnerable to active Flash exploits

Baked-in Flash Player in Windows 8's IE10 won't be updated until late October, says Microsoft

By , Computerworld |  Security, Adobe, Adobe Flash

Complicating matters, Microsoft has also offered a free 90-day Windows 8 Pro RTM trial since Aug. 15 to anyone willing to download the large file.

Microsoft's situation is reminiscent of Apple's before it decided to dump Flash Player and Java from OS X. When Apple maintained those programs -- at the time both were bundled with all Macs -- it often lagged months behind Adobe and Sun Microsystems, then the owner of Java, in its patching.

"Anytime a company bundles a third-party application, they take on some unsaid but expected responsibility to help their users ensure that even the third-party applications get timely updates," said Andrew Storms, director of security operations at nCircle Security, in an email Friday. "Apple has been the worst [at this] and has clearly shown what not to do."

Some wondered whether the Flash patching gaffe was just a one-off. "Hopefully this is a one time problem," said someone labeled "dicobalt" on a Microsoft support thread two weeks ago.

It's unknown how Microsoft will handle updates for Flash after Windows 8 ships next month: The company has said nothing other than it will deliver Flash changes through its own Windows Update service.

In July, however, Microsoft announced it now had the capability to update IE each month if necessary, a break with a years-long tradition of patching the browser only in even-numbered months. The change may be a clue that Microsoft expects to update Flash in IE10 on Windows 8 frequently.

But even a monthly timetable could leave Windows 8 users vulnerable to Flash exploits for weeks unless Adobe or Microsoft, or both, change their update practices.

Microsoft has a monthly patching schedule, called Patch Tuesday, and has rarely gone outside that to issue emergency, or "out-of-band" updates. In the last two years, for instance, it has shipped just one out-of-band patch. Meanwhile, Adobe does not adhere to any set patching schedule for Flash Player.

If Windows 8 had been available from the start of 2012, and Adobe and Microsoft had not adjusted their update ship dates, users would have been vulnerable a total of 77 days through Sept. 11, or about 30% of the year, assuming Microsoft updated Flash on the first-available Patch Tuesday after Adobe released its fixes.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question