Adobe recently issued an update for the popular Flash Player utility to patch critical flaws that could allow an attacker to run malicious code on the target system. But, if you’re using Windows 8, the version of Flash that Microsoft has embedded in Internet Explorer 10 is still vulnerable. Good news, though—an update is forthcoming to address that problem.
Adobe responds quickly to patch identified vulnerabilities, and most Windows users are conditioned to apply security updates as they’re released, but Microsoft is responsible for updating Flash in its Web browser. Windows 8 hasn’t yet officially launched, though, and Microsoft’s initial response was that Flash would not be updated until after October 26 when Windows 8 becomes available to the general public.
A couple of the flaws addressed by Adobe were given its highest threat warning level, and are associated with attacks that are already circulating in the wild. Last week, Adobe confirmed that Windows 8 users are still vulnerable to these threats.
I asked Microsoft about speculation that a patch is imminent. Yunsun Wee, Director of Microsoft Trustworthy Computing, replied with this statement: “In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers.”
Wee added, “This update will be available shortly. Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible.”
Microsoft isn’t the first to embed its own version of Flash. Google’s Chrome browser has had Flash baked in for a couple years now. However, Google has a solid track record of speeding patches to users as fast as—or sometimes faster than—Adobe.
With Flash in Internet Explorer 10, Microsoft has to accept responsibility for addressing issues in a timely manner. Leaving these Flash vulnerabilities open is similar to the situation Apple put Mac OS X users in earlier this year when it was so slow to deploy an update for its proprietary Java implementation.
There is no confirmed timeline for an update from Microsoft, but it’s welcome news that Microsoft realizes the urgency of the situation, and is diligently working on a patch rather than leaving customers vulnerable until the end of October.