Monday, 10 September 2012 22:49

Microsoft Will Not Patch Major Exploits in IE 10 Bundled Flash Until After October 26th

Written by

Reading time is around minutes.
MS-Myth

In only a few weeks Microsoft could find themselves in something of a bind as they appear to have forgotten quite a bit about security while trying to make sure that their new OS can work with their cloud services. Since the release of the “build” version of Windows 8 we have been picking through the way that it operates and how its system function. We have found more than a few items of concern; some of which have finally been fixed, others have not. One of our primary concerns is the semi-walled garden that Microsoft is putting Merto/Modern apps into in order to prevent the side loading of apps that are not from the Microsoft Store, but which also prevents proper malware protection from working.

One of the biggest threats to users of Windows 8 right now is the vulnerability found in the Modern UI version of IEE 10. Microsoft originally intended this version of Internet Explorer to run without plug-ins. This was intended to keep the browser secure, No Flash, Java or Silverlight and there is very little chance of getting malware through your web browser. It was a grand idea that we knew would not last and it did not. It was not that long before Microsoft announced that IE 10 would have its own bundled version of Flash that would stand alone. Microsoft would be responsible for the updates to this when they provided updates to the browser (can you see the flaw in the plan yet?).

Now we are finding out that the version of Flash that is integrated into the shipping version of Windows 8 is vulnerable to existing Malware simply because Microsoft did not update it. This means that if you are running the RTM version of Windows 8 you are vulnerable to exploits that have been out for several weeks and you have no ability to patch it until Microsoft does. Microsoft has said they will release a patch after the new OS is officially launched on October 26th. This does not mean that you will get a patch for Modern UI IE 10 on that day; it means that sometime after the 26th Microsoft will push out a patch through the regular Windows Update service.

This is another in a lengthening list of security issues that are popping up now that more people are getting their hands on the final build. Microsoft claims that by pushing Flash updates through Windows Update they are making things more convenient for people and to some degree that is true, but in some cases this may also delay the release of critical fixes as they wait for their normal cycle. Make no mistake; Windows 8 does not have a glorious future set in stone yet. There are problems with the OS that could sway more than a few consumers to avoid the new OS. Although we think that Microsoft is going in the right direction by getting into the tablet market and creating an ecosystem for all of their devices, we do think they are firmly off the road and in the gutter with the way they are executing this idea.

Discuss this in our Forum

Read 3185 times Last modified on Monday, 10 September 2012 22:56

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.