Last month, Adobe released a batch of critical security updates for Flash Player. Those Last month, Adobe released a batch of critical security updates for Flash Player. Those updates are available for every modern browser except one. Microsoft has yet to release the updates are available for every modern browser except one. Microsoft has yet to release the update for IE 10 in Windows 8, and may not do so until next month. update for IE 10 in Windows 8, and may not do so until next month.
If you use Internet Explorer 10 with Windows 8 today, you are exposing yourself to potentially If you use Internet Explorer 10 with Windows 8 today, you are exposing yourself to potentially serious security risks. serious security risks.
On August 21, 2012, Adobe released a batch of security updates for its Flash Player. On August 21, 2012, Adobe released a batch of security updates for its Flash Player. According to the According to the security bulletin security bulletin , “These updates address vulnerabilities that could cause a , “These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.” crash and potentially allow an attacker to take control of the affected system.”
For Windows, Adobe classifies these updates as Priority 1, its highest rating: For Windows, Adobe classifies these updates as Priority 1, its highest rating:
This update resolves vulnerabilities being targeted, or which have a higher risk of being This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 recommends administrators install the update as soon as possible. (for instance, within 72 hours). hours).
If you use Windows 7 (or earlier) with any modern browser and you’ve enabled automatic If you use Windows 7 (or earlier) with any modern browser and you’ve enabled automatic updates, you already have the latest Flash security fixes. Ditto if you use a Mac. updates, you already have the latest Flash security fixes. Ditto if you use a Mac.
But if you’re using Internet Explorer 10 on any version of Windows 8, including the RTM bits But if you’re using Internet Explorer 10 on any version of Windows 8, including the RTM bits available via MSDN or TechNet and the enterprise preview, you are at risk. You cannot available via MSDN or TechNet and the enterprise preview, you are at risk. You cannot manually update the version of Flash baked into IE 10. Only Microsoft can do that. manually update the version of Flash baked into IE 10. Only Microsoft can do that.
Microsoft made a bold design decision with Internet Explorer in Windows 8, adding Adobe’s Microsoft made a bold design decision with Internet Explorer in Windows 8, adding Adobe’s Flash Player to the browser as a built-in component instead of a third-party plugin. That Flash Player to the browser as a built-in component instead of a third-party plugin. That design echoes Google’s decision long ago to include Flash Player in every version of design echoes Google’s decision long ago to include Flash Player in every version of Chrome. Chrome.
The advantage of this design for Microsoft is that it enables playback of Flash content in the The advantage of this design for Microsoft is that it enables playback of Flash content in the otherwise-plugin-free Windows 8 browser. The bad news is that it adds a bottleneck otherwise-plugin-free Windows 8 browser. The bad news is that it adds a bottleneck between Adobe’s updates and browser users. between Adobe’s updates and browser users.
Google has dealt with this issue by incorporating Flash updates into its automatic browser Google has dealt with this issue by incorporating Flash updates into its automatic browser updates. The Chrome updates. The Chrome Stable Channel was updated on August 21, 2012 Stable Channel was updated on August 21, 2012 for Windows and for Windows and Chrome Frame as well as Linux and Mac. The release notes say the build has “a new version Chrome Frame as well as Linux and Mac. The release notes say the build has “a new version of Flash with security and other fixes,” and it points to of Flash with security and other fixes,” and it points to Adobe’s release notes for Flash Player Adobe’s release notes for Flash Player 11.4 11.4 . .
For IE 10, however, no such update is yet available. I asked a Microsoft spokesperson to For IE 10, however, no such update is yet available. I asked a Microsoft spokesperson to confirm that these recent security patches aren’t available, and I got this response: confirm that these recent security patches aren’t available, and I got this response:
Security is of course important to us, and we are working directly with Adobe to ensure that Security is of course important to us, and we are working directly with Adobe to ensure that Windows 8 customers stay secure. We will update Flash in Windows 8 via Windows Update Windows 8 customers stay secure. We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe. fix, but we will have a security update coming through Windows Update in the GA timeframe.
The “GA timeframe” is October 26, which is more than two months after Adobe released The “GA timeframe” is October 26, which is more than two months after Adobe released these critical security updates. these critical security updates.
This kind of slow response This kind of slow response got Apple in big trouble got Apple in big trouble earlier this year. The Flashback malware earlier this year. The Flashback malware infected more than 600,000 Macs, roughly 1% of Apple's OS X installed base, using Java infected more than 600,000 Macs, roughly 1% of Apple's OS X installed base, using Java software that was included with the operating system and could not be removed: software that was included with the operating system and could not be removed:
Apple's update that fixed the Java security hole was Apple's update that fixed the Java security hole was released April 3, 2012 released April 3, 2012 . That’s 49 . That’s 49 days after days after Oracle released Java SE 6 Update 31 Oracle released Java SE 6 Update 31 for all other platforms. During that seven-for all other platforms. During that seven-week period, every Apple customer who had Java installed (and that includes every Mac week period, every Apple customer who had Java installed (and that includes every Mac owner running Leopard and Snow Leopard) was vulnerable to a silent installation of owner running Leopard and Snow Leopard) was vulnerable to a silent installation of malware. Ultimately, Apple had to release an update that fixed the security hole and removed malware. Ultimately, Apple had to release an update that fixed the security hole and removed the malware already installed on its customers' Macs. the malware already installed on its customers' Macs.
Sound familiar? Sound familiar?
The situations aren’t exactly analogous. Windows 8 users have the benefit of built-in The situations aren’t exactly analogous. Windows 8 users have the benefit of built-in antivirus software and can use third-party security tools that can block in-the-wild exploits. antivirus software and can use third-party security tools that can block in-the-wild exploits. And if you use the immersive (Metro style) browser, Flash is completely blocked from all but And if you use the immersive (Metro style) browser, Flash is completely blocked from all but a handful of whitelisted sites. But the desktop version of IE 10 is wide open, and having a a handful of whitelisted sites. But the desktop version of IE 10 is wide open, and having a popular vector for malware with known vulnerabilities that can’t be patched should make popular vector for malware with known vulnerabilities that can’t be patched should make anyone nervous. anyone nervous.
Technically, Microsoft can argue that Windows 8 isn’t really released yet. It’s been released Technically, Microsoft can argue that Windows 8 isn’t really released yet. It’s been released to manufacturing, but the only copies available to the public are clearly marked as “for to manufacturing, but the only copies available to the public are clearly marked as “for evaluation.” evaluation.”
Sorry, that argument doesn’t work with me. One of the things any sensible IT pro should be Sorry, that argument doesn’t work with me. One of the things any sensible IT pro should be evaluating in this release is how well Microsoft delivers security updates. Providing this evaluating in this release is how well Microsoft delivers security updates. Providing this update now would be an excellent demonstration of security response. Instead, it’s a update now would be an excellent demonstration of security response. Instead, it’s a distressing failure in the face of a serious, real-world security issue. distressing failure in the face of a serious, real-world security issue.
For now, if you are using Windows 8, I recommend that you disable the built-in Flash Player For now, if you are using Windows 8, I recommend that you disable the built-in Flash Player (it can’t be removed) by opening the Manage Add-Ons dialog box, selecting Shockwave (it can’t be removed) by opening the Manage Add-Ons dialog box, selecting Shockwave Flash Object, and then clicking Disable. Until a patch is available for Internet Explorer 10, Flash Object, and then clicking Disable. Until a patch is available for Internet Explorer 10, you’re better off using another browser. you’re better off using another browser.
Update: In the Talkback section below, several commenters have argued that no one should Update: In the Talkback section below, several commenters have argued that no one should be using Windows 8 in an environment that would put them at risk and that the terms of use be using Windows 8 in an environment that would put them at risk and that the terms of use from Microsoft specifically prohibit such use. I beg to differ. from Microsoft specifically prohibit such use. I beg to differ.
Volume License customers and Microsoft partners are allowed to use the code in production Volume License customers and Microsoft partners are allowed to use the code in production environments. And even subscribers to Microsoft programs are expected to evaluate in the environments. And even subscribers to Microsoft programs are expected to evaluate in the real world. real world.
Here, for example, are Microsoft's guidelines from TechNet. I have boldfaced the scenarios Here, for example, are Microsoft's guidelines from TechNet. I have boldfaced the scenarios that are allowed and problematic: that are allowed and problematic:
TechNet Subscriptions software may be used to evaluate the Microsoft software in the TechNet Subscriptions software may be used to evaluate the Microsoft software in the following scenarios: following scenarios:
Install/Uninstall – Time and process required for full, partial or upgrade software install/Install/Uninstall – Time and process required for full, partial or upgrade software install/uninstall processes and system integration. uninstall processes and system integration. Recovery – Capacity for software to recover from crashes, hardware failures, or other Recovery – Capacity for software to recover from crashes, hardware failures, or other catastrophic problems. catastrophic problems. Security – Defining software’s ability to protect against unauthorized internal or external Security – Defining software’s ability to protect against unauthorized internal or external access. access. Compatibility – Gauging software performance in existing or new hardware, software, Compatibility – Gauging software performance in existing or new hardware, software, operating system or network environments. operating system or network environments. Comparison – Evaluating software to determine product strengths and weaknesses as Comparison – Evaluating software to determine product strengths and weaknesses as compared to previous versions or similar products. compared to previous versions or similar products. Usability – Assessing satisfaction among end users, observing end user utilization and Usability – Assessing satisfaction among end users, observing end user utilization and understanding user interaction scenarios. understanding user interaction scenarios. Performance – Ensuring software will perform as expected to requirements. Performance – Ensuring software will perform as expected to requirements. Stability – Estimating individual software’s ability to perform consistently, relative to system Stability – Estimating individual software’s ability to perform consistently, relative to system demands. demands. Environment – Determining software settings while software is being evaluated by end Environment – Determining software settings while software is being evaluated by end users in existing infrastructure. users in existing infrastructure.
You have to use it to evaluate it, people. You have to use it to evaluate it, people.
And finally, as an anonymous commenter reminds me, Microsoft is aggressively rolling out And finally, as an anonymous commenter reminds me, Microsoft is aggressively rolling out Windows 8 to its entire workforce. My colleague Mary Jo Foley has even written about this Windows 8 to its entire workforce. My colleague Mary Jo Foley has even written about this effort: effort: Microsoft IT: How we rolled out Windows 8 to 30,000 users Microsoft IT: How we rolled out Windows 8 to 30,000 users . That sure seems like an . That sure seems like an opportunity for the bad guys... opportunity for the bad guys...
Would love to here from you...