11 Sep 2012

Windows 8 Vulnerable to Flash Exploits

The soon-to-be released Windows 8 ships with a vulnerable version of the Flash Player plugin for the Internet Explorer 10 browser. The July 11.3.372.94 build released in June is still unpatched with the security updates released by Adobe in August.

Update: Microsoft decided to fix this problem sooner than initially scheduled. In an e-mail received by zdnet, Yunsun Wee, Director of Microsoft Trustworthy Computing, made the following statement:

“In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers. This update will be available shortly. Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible.”

Currently, all users testing the new Windows Operating System, be it the "Release To Manufacturing" version of Windows 8 or the 90-day trial version of Windows 8 Enterprise, are exposed to several security flaws for which Adobe has already released fixes.  

Unlike in Windows 7 and earlier versions, Windows 8 users cannot automatically update the version of Flash into their browser since Microsoft decided to include Flash Player as a built-in component with Internet Explorer in W8, instead of an autonomous, third-party plugin.

Dealing with the same type of situation in Chrome, Google incorporated Flash updates into the automatic browser updates but, for the moment, Microsoft hasn’t considered this option.

On its Malware Protection Center, Microsoft warns its customers of the vulnerability, advises to keep the Flash Player updated at all times “to avoid being vulnerable.” It provides links towards the Adobe support center while introducing new security features to all users.

“Recent versions of Adobe Flash Player offer a Background Updater feature, which [users] should enable. To protect users from immediate, zero-day vulnerabilities, Adobe provides security updates automatically, in the background, to users who have enabled the background update feature.”

Adobe's August patches dealt with critical vulnerabilities, some highly critical since they have been used in a number of attacks spotted in the wild. According to an Adobe security bulletin “the updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.”

Even if the newly-released to manufacturing Windows 8 comes with an array of security features inherited from Windows 7 and below (such as the User Account Control and extensive checks for kernel-mode drivers on x64) or have been newly-added (such as the Early-Launch Anti-Malware), the use of a security solution is still mandatory - it is the only way of shielding against 0-day attacks on third-party software such as Flash and Java.