Microsoft has reversed course and said it will patch a serious Adobe Flash vulnerability in Windows 8 and Internet Explorer 10 before the new Microsoft OS ships Oct. 26. Microsoft had previously said it would wait until after the ship date to update Flash, which is integrated into the browser.
Microsoft came under heavy criticism for its initial reaction, primarily because Windows 8 beta testers would be vulnerable for another six weeks, and attackers were already actively exploiting the flaws in Flash.
Microsoft was not specific on the availability of the update; since the player is embedded in the browser, Microsoft, not Adobe is responsible for security updates and must sync its updates with Adobe’s to avoid exposing customers to additional risk. Google’s Chrome browser similarly has Flash embedded.
“Microsoft has stated that they have over 7 million PCs that are participating in the latest Windows 8 preview program. These PCs are all running Internet Explorer 10 with the embedded Flash Player that is affected by the latest vulnerabilities,” Qualys CTO Wolfgang Kandek said. “The production version of Windows 8 is already locked down and will not be able to integrate this update anymore. One of the first actions users of the new Windows 8 should take after installing it is to hit the update button to get the latest security patches.”
On Aug. 14, Adobe issued a fix for a critical Flash vulnerability already being exploited in targeted attacks. Exploits could give an attacker control over vulnerable machines; Adobe confirmed it knew of attacks targeting Flash on IE10. Active exploits either crash the Flash application or give attackers the ability to run code of their choice. In the same update, Adobe also patched its Reader and Acrobat apps, fixing memory corruption vulnerabilities, as well as stack, buffer and heap overflows.
A week later, Adobe again updated the Flash Player, as well as the AIR runtime environment, fixing memory corruption vulnerabilities and integer overflow vulnerabilities that could enable an attacker to remotely run code on a targeted machine.