A gaffe in update schedules means Windows 8 preview users will be vulnerable to attacks that exploit Adobe’s Flash Player until the Microsoft operating system is released to the general public on October 26, according to InfoWorld, although a September 11 announcement from Microsoft sought to alleviate some concerns.
Windows 8, which was released to manufacturers on August 1 and has already been implemented by a handful of enterprise users, features a notable change to its bundled browser that raises the stakes of a Flash Player security threat. Microsoft chose to integrate Flash Player into Internet Explorer 10, the Windows 8 default web browser, rather than using a plug-in, the approach most browsers have traditionally taken. This means that Microsoft, not Adobe, is responsible for updates to the version of Flash in its browser. Furthermore, Adobe has confirmed that it will not offer a patch for IE10, creating potential endpoint security threats for Windows 8 early adopters and developers.
Assessing the threat
The threat from the update problem centers on the fact that Adobe took steps in August to fix a number of Flash security vulnerabilities, while the version of Flash running on IE10, released on August 1, does not incorporate these changes, InfoWorld explained. Adobe released two patches in August, covering a total of eight vulnerabilities, some of which had been identified as “1” ranked threats by the company, its highest level.
An August 14 patch fixed a vulnerability tagged as CVE-2012-1535, which security researchers suggested hackers had been exploiting for several months. An August 21 patch addressed other vulnerabilities. However, hackers can continue to target these vulnerabilities among Window 8 users until October 26, when Microsoft releases an update. Microsoft has known about the problem since at least August 25, InfoWorld reported.
While the vulnerability could have a reasonably minor effect due to the fact that Windows 8 is not yet available to the mass market, the problem is compounded by Microsoft’s decision to make a 90-day-trial version of the OS available, which consumers have been able to download since August 15. InfoWorld noted that the company has not delivered a statement on its policies for updating Flash after Windows 8 ships. However, Microsoft did announce in July that it now has the capability to update IE each month, an improvement from the bimonthly update schedule it had used in the past.
In a statement released September 11, Microsoft acknowledged the security shortcoming explicitly and backpedalled on its earlier remarks, claiming that it was working with Adobe to patch IE10 sooner than anticipated.
"This update will be available shortly," Microsoft wrote. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible." According to PCWorld, Microsoft has not offered a date for this update but noted that it would be arriving soon.
Protecting against the threat
ZDNet blogger Ed Bott, who originally broke the news of the Flash update snafu, weighed in on the news that security fixes would not be forthcoming by offering a set of tips for protecting against the vulnerabilities in Flash.
Noting that security options included stopping use of IE10 or Windows 8 altogether, Bott suggested instead that users switch browsers and disable the Shockwave Flash add-on in IE10. In order to do this, users can go to the gear icon in the upper right corner of IE10, click “Manage add-ons” and choose to disable Shockwave Flash.
For developers who will be testing IE10 compatibility, however, this option may be too restrictive. Such users can take advantage of another security feature called ActiveX Filtering, which blocks all ActiveX controls on all domains in Internet Explorer. This disables Flash-based content, but it also provides the option to re-enable it on trusted websites.
IE10 users will still want to exercise caution with this approach, but it does provide a more customizable option for Internet security until Microsoft’s patch arrives. Since this threat does have a fairly limited scope, many average users will probably find themselves unaffected, and others can rely on a relatively easy fix.
Security News from SimplySecurity.com by Trend Micro.