Recent statements from Microsoft show that they are not afraid to wait a little bit before shipping patches with their bundled Flash in Internet Explorer 10. The issue is more contained than is let on by Ars Technica – but also raises a bigger security issue for all of us at all times.
By far the worst enemy for security is complacency.
I often pick on Apple for their security practices. They are perceived as being secure despite their horrendous record of handling security updates – delaying a critical patch for privately disclosed vulnerabilities until after its reveal at Blackhat because Apple could not devote the programmer to the task.
That mentality has been everywhere – from Sony to Microsoft in the Windows XP era to Macromedia & Adobe.
In this case the issue is that Microsoft has been delaying updates to the built in copy of Adobe Flash preinstalled with Internet Explorer 10. Once a patch has been released attackers are able to figure out what the patch fixes and potentially exploit it for those who have yet to update. There are quite a few subtle caveats with this story which need to be discussed before opinions are made.
… Relatively speaking…
First and foremost – Flash support on the Metro-based Internet Explorer 10 is limited to a whitelist. Flash is not exposed to websites which have not been flagged by Microsoft as safe and requiring backwards compatibility with Flash.
Websites become compromised all the time. Should one of the whitelisted websites get attacked it could become forced to serve a Flash applet to its users. The delay between Adobe and Microsoft patching dates gives the attackers a window to exploit all IE10 users until the whitelisted website notices. Attacks like these are very commonplace recently.
As an aside – there is quite a bit of confusion over Internet Explorer 10 on the desktop. According to the RTM evaluation it appears as though the only way to update Flash for Internet Explorer is through Windows Update even when not using the Metro browser. The whitelist is also in effect for Windows on the desktop although it seems like users are able to add their own exemptions. It appears like user-set exemptions is unique to the desktop version of IE.
It is disconcerting to see a platform become complacent to potential security issues intentionally. To be fair it is entirely possible that Google Chrome could have similar issues as they too handle Adobe Flash integration. Unlike IE10, Google Chrome does allow you to disable the built in Flash and manage your updates directly from Adobe although the process is far too complicated for most users.