Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Adobe confirms Windows 8 users vulnerable to active Flash exploits

Gregg Keizer | Sept. 10, 2012
Microsoft's Windows 8 is vulnerable to attack by exploits that hackers have been aiming at PCs for several weeks, Adobe confirmed Friday.

Windows 8 RTM's IE10 identifies the integrated Flash Player as version 11.3.372.94, a more recent build than the one in Windows 8 Release Preview, but older than the most-up-to-date version for Windows, 11.4.402.265, which Adobe delivered on Aug. 21.

Adobe actually told some users about Windows 8's Flash situation two weeks ago.

On an Adobe support forum, a company representative announced on Aug. 23 that there would be no Flash update for Windows 8 and IE10 until late October. "Since Windows 8 has not yet been released for general availability, the update channel is not active," said Chris Campbell, identified as an Adobe employee. "Once this goes live, you'll start getting updates to Flash Player."

It was unclear what Campbell meant by "the update channel is not active," as Microsoft has patched Windows 8, most recently in July when it issued fixes to both Windows 8's Consumer Preview and Release Preview through Windows Update.

Internet Explorer 10 on Windows 8 desktop relies on a baked-in version of Flash that hasn't been updated to account for some critical bugs, including one hackers have been exploiting for weeks.

Microsoft support engineers have known of the Flash problem on Windows 8 since at least Aug. 25.

Even though users noticed last month that IE10's Flash had fallen behind Adobe's version, it wasn't until this week that ZDNet blogger Ed Bott first reported that Windows 8 users were vulnerable to attack.

Some of the people commenting on Adobe's and Microsoft's support forums, as well as on Bott's blog, argued that Microsoft should be excused for not patching Flash because Windows 8 has not widely shipped. Others disagreed, pointing out that Windows 8 RTM has been available to enterprises with volume licensing agreements for several weeks, and so it has moved beyond the evaluation phase.

Complicating matters, Microsoft has also offered a free 90-day Windows 8 Pro RTM trial since Aug. 15 to anyone willing to download the large file.

Microsoft's situation is reminiscent of Apple's before it decided to dump Flash Player and Java from OS X. When Apple maintained those programs -- at the time both were bundled with all Macs -- it often lagged months behind Adobe and Sun Microsystems, then the owner of Java, in its patching.

"Anytime a company bundles a third-party application, they take on some unsaid but expected responsibility to help their users ensure that even the third-party applications get timely updates," said Andrew Storms, director of security operations at nCircle Security, in an email Friday. "Apple has been the worst [at this] and has clearly shown what not to do."

Some wondered whether the Flash patching gaffe was just a one-off. "Hopefully this is a one time problem," said someone labeled "dicobalt" on a Microsoft support thread two weeks ago.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.