Windows 8 Prerelease has Flash Hole

Tuesday, September 11, 2012 @ 01:09 PM gHale

The forthcoming version 10 of Microsoft’s Internet Explorer includes an integrated version of Flash Player and updates it automatically. Maybe.

That is because Windows 8 continues to use version 11.3.372.94, released July 19, even though Adobe released a security update August 15 that quickly followed by another update one week later.

RELATED STORIES
Backdoor.LV Malware on Rise
Trojan Attacks Focus on Zero Days
Pushdo Trojan a Master of Disguise
Warning: Google Alert Contains Trojan

Adobe’s Windows version of Flash Player has since updated to version number 11.4.402.265. Among other things, it closed the CVE-2012-1535 Zero Day hole. This vulnerability involves a buffer overflow that can trigger by specially crafted font files in a Flash document. Attackers exploit it using the heap spraying technique. They then download an executable program in several steps. The specially crafted Flash data embeds in a Word document. Adobe rates the hole at the highest threat level of 1.

Microsoft’s own Malware Protection Center warned customers of this bug, advising them to update Flash Player or implement other security measures. However, Adobe explains in its support document Windows 8 users no longer have the option of manually updating the player, and they need to rely on Microsoft’s automatic updates. This technology, however, is not ready to go in Windows 8 because the software has not yet become “generally available.”

A Microsoft spokesperson said Microsoft “will have a security update coming through Windows Update in the generally available timeframe.” This “General Availability” timeframe is October 26.

Microsoft has offered the generally available version for download to its MSDN and Technet subscribers since mid-August, and companies have had access to a 90-day trial version of Windows 8 Enterprise since then. Only a few days ago, Microsoft automatically updated Windows 8 to provide a browser selection as required by the EU.

In mid 2010, version 5 of Google Chrome was the first to make Flash Player an integral part of the browser and update it automatically. Both the stable version 21 of Chrome and the Windows 8 variant (version 23) of the free browser, which is available via the developer channel, use the current Flash Player 11.4.



Leave a Reply

You must be logged in to post a comment.