Biz & IT —

Internet Explorer 10’s bundled Flash leaves users exploitable

The included version is out-of-date, but can't be fixed with Adobe's updater.

Early users of Windows 8's built-in Internet Explorer may find themselves at risk of exploitation via the Flash plugin, as the version included with Windows 8 is out of date. Adobe patched Flash on August 21 to resolve known security flaws, but the patch can't be applied to Internet Explorer 10.

Internet Explorer 10 bundles Adobe Flash, with Microsoft taking on responsibility for shipping updates to the integrated plugin. One repercussion of this arrangement is that Adobe's patches and autoupdate mechanism can't be used; they can update the standalone version used by Firefox, but not the embedded version in Internet Explorer. The same is true of Chrome; it includes an embedded version of Flash, and the only way to update that is with a Chrome update. Adobe's updater can't touch it.

There has been some chatter on Twitter about this issue since Adobe shipped its most recent patch. Ed Bott at ZDNet asked Microsoft about the issue, and was told:

We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.

"GA" means general availability; it refers to the October 26th date when Windows 8 will go on sale through retail channels. There is a contradiction implicit in this statement; Flash in Windows 8 needs an update now, so plainly Microsoft is not updating it "as needed."

There is a broader underlying issue here. Microsoft's policy is, in general, to release software patches, including Internet Explorer patches, on the second Tuesday of each month. Adobe's is also to release them on Tuesdays—but the third or fourth Tuesday.

If these policies are retained, then there will be a systematic vulnerability window. Microsoft will patch Internet Explorer, and then a week or two later, Adobe will reveal a raft of new Flash security flaws when it patches Flash. Windows users will then have to wait several weeks for Microsoft's next update.

This is plainly not a desirable state of affairs, and we feel it must surely be something that Microsoft and Adobe have considered and addressed somehow. However, the company offered us no comment and no explanation of what the update policy will actually be. Delaying Internet Explorer patches so that they are synchronized with Adobe's releases, or bringing forward Adobe's Patch Tuesday so it is synchronized with Microsoft's, would both be viable options.

Whatever option the companies pick, the lack of policy statement is awkward. Enterprises in particular plan for and around Patch Tuesday; providing predictability to its patching schedule for enterprise users is precisely why Microsoft has a Patch Tuesday in the first place. If the nature of Patch Tuesday is going to change—as it surely must, to avoid regular periods of vulnerability to known flaws—then enterprise customers need to be told.

And given that those same enterprise users have access to Windows 8 already and can be deploying and using it today, waiting for GA to provide a fix is unacceptable. Windows 8 may not be released to everyone just yet, but it has been released to some customers, and that means it needs to be supported now.

Channel Ars Technica