Windows 8 RTM vulnerable to Flash flaw

Running the RTM (or release-to-manufacturing) version of Windows 8? You just might be, given that Microsoft made it publicly available last month. Perhaps you should hold off on your trailblazing for a little while, though.

As ZDNet’s Ed Bott reports, the version of Adobe Flash built into Internet Explorer 10 suffers from a serious security vulnerability. The vulnerability “could cause a crash and potentially allow an attacker to take control of the affected system,” according to Adobe.

That wouldn’t be a problem with past versions of IE, because you could just grab the latest Flash plug-in and be on your way. However, Flash is built right into IE10. Only Microsoft can deliver updates, and it doesn’t seem to be doing that right now. Here’s what the company told Bott:

Security is of course important to us, and we are working directly with Adobe to ensure that Windows 8 customers stay secure. We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.

“GA” means “general availability,” which is shorthand for Windows 8’s October 26 release date. In other words, don’t expect IE10’s Flash hole to be plugged until then.

Now, Bott rightfully points out that the version of Windows 8 RTM available from Microsoft’s MSDN Evaluation Center is for testing purposes only. You’re not supposed to install it on production hardware, and the license key has an expiration date, anyway. That said, it seems a little strange that Microsoft is leaving testers and developers vulnerable to a serious security issue—one Adobe has already patched, to boot.

Comments closed
    • Meadows
    • 7 years ago

    Why is Flash built into IE now? (Or any other browser, for that matter? I’m staring at you, Chrome.)

      • l33t-g4m3r
      • 7 years ago

      Consolidation. This is nothing but a giant power grab by Microsoft, not to mention WinRT/Metro wouldn’t go over too well with the masses without some sort of flash support. How else are the kids going to view newgrounds?

      • entropy13
      • 7 years ago

      Technically Flash isn’t “built-in” into Firefox though as a “FlashPlayerPlugin” will always show up in Task Manager when there is Flash in the pages that Firefox loads. LOL

      Adobe still handles the updates (or you can get the plugin itself from their site).

        • Meadows
        • 7 years ago

        -1.
        I clearly remember typing “IE”.

      • sweatshopking
      • 7 years ago

      the ACTUAL reason, not l33ts ramblings, is that they initially banned it on metro IE, for the same reasons apple did. But once that was done, peeps were upset. The Flash built into metro IE is MS controlled and only works on whitelisted sites. Flash won’t function on any random site. just approved ones as a way to control battery life.

        • l33t-g4m3r
        • 7 years ago

        Banned? No. Not unless you mean it was physically unable to run because of WinRT, which in a roundabout way is like being banned. All 3rd party software is technically “banned” in WinRT. I don’t believe that whitelisting has anything to do with battery life either. It’s censorship.

          • sweatshopking
          • 7 years ago

          what? what are you talking about? believe what you want, lizard man, i’ll believe what i’m told, cause i’m a stupid commie unable to think for myself.

          [url<]http://arstechnica.com/information-technology/2011/09/metro-style-internet-explorer-10-ditches-flash-plugins/[/url<]

    • l33t-g4m3r
    • 7 years ago

    You know what? If I was Adobe, I wouldn’t even lift a finger to fix this vulnerability. Microsoft stole the Source, Microsoft can patch it. If WinRT didn’t exist, we wouldn’t have this problem, now would we?

    Not like this is a problem for regular users anyway, since the only people even running Windows 8 at this moment are shills. Enjoy your 1,000 viruses, SSK.

      • oldDummy
      • 7 years ago

      If you were Adobe:

      You should laugh all the way to the bank.

      • sweatshopking
      • 7 years ago

      don’t worry, i’ll happily enjoy the most secure version of windows ever.

      thanks for thinking of me! ♥♥♥ XOXO

        • Meadows
        • 7 years ago

        Functionality trumps security.

          • sweatshopking
          • 7 years ago

          then i’ve got the best of both worlds!

            • l33t-g4m3r
            • 7 years ago

            Obviously you don’t with this unpatched vulnerability.

        • rrr
        • 7 years ago

        Wait, you’re still enjoying Windows 1.0? OK.

    • HisDivineOrder
    • 7 years ago

    I’m fine with MS including Flash, but not letting users update to the latest version manually is yet another case where MS is telling users they know best (when they don’t).

    What is it with Microsoft these days? It’s like they forgot why Windows ultimate won out against OS X. Giving users customization options (Do I want to use Metro? Do I prefer a start menu? Do I want to let them update flash? Do I want to update it myself?) is a core principle of Windows and they seem to have completely lost the memo from the 1990’s where that became clear.

      • brucethemoose
      • 7 years ago

      They’ve been staring at Apple’s revenue for too long, and think the road to that sort of profit is an Apple-like business model.

        • designerfx
        • 7 years ago

        while neglecting that there are other competitors at the same time – linux is starting to pick up some traction and is experiencing gigantic amounts of growth via mobile.

      • GTVic
      • 7 years ago

      Flash support is custom built into IE10, therefore it is not a separate generic plug-in component you can update or remove and replace with an Adobe version. This seems pretty straightforward. Perhaps this site is a little to advanced for some people. In case you are wondering why I’m being harsh, the endless repetition of anti-Windows 8 rhetoric is really annoying.

      • jstern
      • 7 years ago

      Overall isn’t it better that way. I mean I don’t really use Google Chrome, but I thought people considered that a big positive of that browser, because it always updates it so the less savvy users will always have an up to date version, and because it gives it a better performance. I don’t know, it’s just what I remember from memory.

      Bad would be if they didn’t update it regularly, so I guess it’s best to wait until it’s released to see what they do.

    • brucethemoose
    • 7 years ago

    There’s a new flash exploit for Windows!?

    Never saw that one coming.

      • bcronce
      • 7 years ago

      “There’s a new flash exploit <insert any OS>”?!

    • Madman
    • 7 years ago

    Everyone who hasn’t replaced IE with Firefox or Chrome deserve all this crap. So, nothing to see here.

    • BIF
    • 7 years ago

    [quote<]Running the RTM (or release-to-manufacturing) version of Windows 8? You just might be, given that Microsoft made it publicly available last month. Perhaps you should hold off on your trailblazing for a little while, though. [/quote<] Oh please! With all due respect.... It is/should be common knowledge that the RTM will time out and CANNOT BE UPGRADED. Windows 8 GA must be INSTALLED NEW. Therefore, everybody should still have their old XP, Vista, or 7 system for ongoing production work and NOBODY should currently be relying solely on Windows 8 for mission critical tasks. Anybody who is running the RTM *90-Day Trial* in "production mode" right now has put their own n-ts in a vice and they deserve whatever happens to them. <eyeroll> I feel no sympathy! And yeah, it's due to Adobe and IE. What else is new...

      • Deanjo
      • 7 years ago

      Well the Trial version is NOT really RTM. The real RTM version however that is running around the web is not a trial however (and a key change can be done and re-authorized without re-installation).

        • bcronce
        • 7 years ago

        Yep. My MSDN account has a non-eval RTM version with no “trial” time.

          • BIF
          • 7 years ago

          I stand corrected, but I also still stand my ground.

          The way that the article implies it, a majority of users are affected by this, when that is really not the case. The majority does NOT have access to the GA yet, therefore the majority should NOT be running Windows 8 in a production mode yet. There is still more than a month for Microsoft and/or Adobe to fix the flaw.

          Editorial Comment: I see MSDN memberships as nothing more than expensive subscriptions…and microsoft.com does a poor job explaining the benefits, so I have a very hard time getting past the price. Yet I am interested in development (and not for Linux because I see very little potential for profit on that platform). Could somebody take a moment to list a few pros? Thanks!

            • Arag0n
            • 7 years ago

            I do have a free MSDN subscription because I’m a Microsoft BizSpark member. That besides other things makes my profile in MSDN forums to be shown as “Microsoft Partner”. In order to get BizSpark membership I just registered myself as a “company” despite the fact that I’m not a legal company yet (Under my country law I just need to legalize my status over ~4000$ per year, this year I’ll be under that mark but next year it’s likely I’ll be quite over it, I’m expecting at least ~7000$/year at last 2 months income). So I used my publisher name, logo and all to submit as startup in BizSpark.

            Just because that, Microsft gave me access to MSDN for free till 2015 including 5 licenses of Win8 Pro, 5 licenses of Win8 no-Pro and almost every piece of Microsoft software you can think about, from Visual Studio 2012, Project Manager, etc.

            Next year I’ll be likely to need to register as legal company but I’m not sure in 3 years I’ll be over the income I need to fully dedicate myself to it. Still, if I do find myself over the mark I need to fully dedicate myself and luckily need to hire some people to help me, I can see it as a very nice subscription to provide licenses for all my team. In the other hand, if I had a family of 4/5 members each one with it’s own laptop it could be also interesting to avoid buying office & windows licenses.

            As a single individual it will not be interesting for almost anyone, at least that getting early access to software is a keypoint for you. Who of us now, knowing all the app booming would not have liked to develop a nice looking memory game for the iPhone before the SDK released? Not even 2 weeks of development, pretty cheap image design needed, but it would have been likely to give you several thousand dollars back. Getting early access to some development tools can be the difference between being first to market or not.

            Note: All university students worldwide almost can apply for a free MSDN subscription also. I don’t remember the website now, but there is a website of Microsoft to register for that. You may search for it.

            • RenatoPassos
            • 7 years ago

            Isn’t it DreamSpark (https://www.dreamspark.com/)? If it’s DreamSpark you are talking about, your university needs to register with them too – I just didn’t check how easy (or hard) that is…

            The benefits are very similar to the ones you listed, but on a individual level (one license per product per student) and they are valid while you are at university or college.

            • sweatshopking
            • 7 years ago

            bizspark is a separate thing than dreamspark, I’m also a bizspark member, though my company is registered. it’s a great way to get access to the benefits. there are a ton of other benefits besides the keys. it’s worth checking out if you plan on making money with IT.

            • Arag0n
            • 7 years ago

            Yup, but I also pointed how someone can get free MSDN subscriptions, both being a startup / small team or as university student. I explained the startup way he explained the university one. Which is the name of your company and what do you do by the way?

            • Arag0n
            • 7 years ago

            By the way, I couldn’t give you more “up ratings”, long time no see someone acknowledging a wrong pre-conception.

    • tanker27
    • 7 years ago

    Really when is Flash ever going to die? Its like Jason of the Computer world. Die already will ya!

      • Deanjo
      • 7 years ago

      At least with Jason being around you know Jamie Lee Curtis is in the vicinity so it isn’t all that bad. 😛

        • 5150
        • 7 years ago

        Wrong serial killer Deanjo. It was Michael Meyers that killed Jamie Lee Curtis. Great, now you’ve got me thinking about her in True Lies. DAYUM!

          • Deanjo
          • 7 years ago

          Yup my bad, too many psycho killers to keep track of …….. mmmmm Jamie…..True Lies and Trading Places….. Mmmmmm

            • sweatshopking
            • 7 years ago

            gross. she’s like 100.

        • superjawes
        • 7 years ago

        You just mixed up Halloween and Friday the 13th…

    • Chrispy_
    • 7 years ago

    It’s [i<]always[/i<] Flash, isn't it.... If I were an unhinged crazy person with a desire to bomb something, Adobe HQ would be on the shortlist, I'm sure.

      • Deanjo
      • 7 years ago

      [quote<]It's always Adobe and Oracle products, isn't it....[/quote<] Fixed that for you since Adobe Reader and Java are just as bad and have been the leading security vulnerabilities for years.

        • Chrispy_
        • 7 years ago

        Yep, security risks and bloatware peddlars too; we can blame Adobe for infecting millions of PC’s with the McAfee [s<]scan[/s<] sales tool and Oracle for pushing the Ask toolbar onto unsuspecting updaters several times a year. Opt-out is bad, mmmmkay?

        • anotherengineer
        • 7 years ago

        Like hookers and strippers?

        Look you gots AIDS in a FLASH!!!!!!!!!!

    • oldDummy
    • 7 years ago

    That’s what I get for beta testing.

    What a pita.

    have to install 7 again

      • ChronoReverse
      • 7 years ago

      Just don’t use IE.

        • oldDummy
        • 7 years ago

        ha, got : this browser is not supported and change to a secure browser, on some site with IE10.

        Changed to chrome and had random BSOD’s/hard freeze so switched back…..

        Go figure.

          • Firestarter
          • 7 years ago

          If chrome was causing BSODs then you have something very, very wrong with your system.

            • oldDummy
            • 7 years ago

            7 runs pretty well.

            Thats what i’m running now.

            wow,whats with the haters

            • ChronoReverse
            • 7 years ago

            Nothing to do with hating but just pointing out how if Chrome is having problems, then your system has some sort of latent or transient problem.

            I’m not the only data point running Chrome on Windows 8 without any problems. Plus I can disable Flash in IE10.

      • BIF
      • 7 years ago

      You will have to install again anyway when your RTM 90 day trial expires.

      If you are in fact a beta tester, then surely you KNEW that beforehand and you know it every day looking at the lower right corner of the Windows 8 desktop background screen.

        • oldDummy
        • 7 years ago

        this is retail, no matter. still a beta if no update urgency.

          • BobbinThreadbare
          • 7 years ago

          No it’s not. It’s Release To Manufacturer. That is not retail.

        • Arag0n
        • 7 years ago

        Am I the only one with WIndows 8 Pro final version?

        Edit: ahh and of course, with a valid MSDN license till 2015..?

          • sweatshopking
          • 7 years ago

          i have it too.

    • MadManOriginal
    • 7 years ago

    So in IE10 on Win 8, can Flash not be disabled like plugins for IE9?

      • oldDummy
      • 7 years ago

      hmm…
      is that the:

      “Adobe PDF link helper”

      that I just disabled?

      That is the only Adobe add on listed.

      • alphacheez
      • 7 years ago

      I think the issue is that Flash for IE 10 seems to be built-in. When I was going through the usual installation of stuff using ninite.com, I had “Flash for IE” checked, however, when it got to that step it gave the message “Flash is included with IE 10” or something along those lines. It gave the same message when it tried to install Security Essentials.

      This is why I just use IE to download Chrome then make Chrome the default browser as quickly as possible. I now just hope there isn’t some way that I’m still vulnerable because I don’t really want to go back to Windows 7. I am using an academic license through my graduate school program for Win 8.

        • oldDummy
        • 7 years ago

        IMO, you can’t trust it.

        Random BSOD now have a possible sinister component.

        But hey, that’s just me.

        • Deanjo
        • 7 years ago

        Chrome has built in flash as well.

        • sschaem
        • 7 years ago

        FYI, Chrome as all the Adobe Flash code built in.

      • derFunkenstein
      • 7 years ago

      No, it’s just like before. Tools -> Internet Options -> Programs tab -> Manage Add-ons. There under Microsoft Windows 3rd-party Component is Shockwave Flash Object.

      (using Win8 RTM, normally not using IE because it seems that lots of sites are borked with it, but I looked it up because that’s a super reasonable question)

        • indeego
        • 7 years ago

        That seems the bigger story. How are sites messed up with IE10?

          • derFunkenstein
          • 7 years ago

          Is that a rhetorical question for Microsoft or a serious one for me?

          I see a lot of “Error on page” in the status bar, like sites are trying to load IE-specific content that IE10 chokes on. It may not be all that big of a deal by October if these web developers are paying attention to what’s coming. Since I’m testing only one specific website in IE10, that’s all I’m using it for. We’re getting our shit together for the web app at work, and for everything else I’ll just use Chrome.

Pin It on Pinterest

Share This