While Windows 8 won’t officially be released until Oct. 26, according to reports over the weekend, the operating system already has a handful of Flash holes that could open the system up to exploits by attackers. The problem stems from the system’s browser, Internet Explorer 10, that’s coming with its own integrated version of Adobe’s Flash Player which hasn’t been updated since it was initially shipped.
That means the operating system didn’t receive Adobe’s update last month that patched a critical vulnerability in Flash Player and a subsequent update that fixed six other bugs in the software.
According to a report in ZDNet last week, Microsoft isn’t planning on patching the bug until late October, to coincide with the operating system’s release. The release is being delayed until Microsoft releases Windows 8 to the public, even though it will mark a lapse of almost two months since Adobe’s update.
“The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe,” according to a Microsoft spokesperson.
Microsoft has assumed responsibility for pushing out patches for Flash going forward since the platform is coming ‘baked-in’ to the latest iteration of IE. The Flash Player guide (.PDF) for Windows 8 reminds users they can’t uninstall Flash Player since its part of the browser and that patches can only be dsitributed through Windows Update.
While Windows 8 isn’t being used on a widespread basis yet, the system is being used by members of Microsoft Developer Network (MSDN) and TechNet subscribers. A 90-day trial copy of the enterprise edition of Windows 8 RTM (release to manufacturing) was also posted online for “IT professionals interested in trying Windows 8 Enterprise on behalf of their organization” last month.
Microsoft last patched Windows 8 in July when it addressed flaws in its Consumer Preview and Release Preview of the system on Intel-based PCs.
It was discovered last week that some of those Flash flaws, in particular the CVE-2012-1535 vulnerability, have been used by the so-called Elderwood gang in a series of attack campaigns as of late.