Pre-release version of Windows 8 contains Flash hole
Like Google Chrome, the forthcoming version 10 of Microsoft's Internet Explorer includes an integrated version of Flash Player and updates it automatically. Or it doesn't, because Windows 8 continues to use version 11.3.372.94, released on 19 July 2012, even though Adobe released a security update on 15 August that was followed by another update only a week later.
Adobe's Windows version of Flash Player has since been updated to version number 11.4.402.265. Among other things, it closed the CVE-2012-1535 zero-day hole. This vulnerability involves a buffer overflow that can be triggered by specially crafted font files in a Flash document. Attackers exploit it using the heap spraying technique. They then download an executable program in several steps, as described, for example, by AlienVault. The specially crafted Flash data is embedded in a Word document. Adobe rates the hole at the highest threat level of 1.
Microsoft's own Malware Protection Center has warned customers of this bug, advising them to update Flash Player or implement other security measures. However, Adobe explains in its support document that Windows 8 users no longer have the option of manually updating the player, and that they need to rely on Microsoft's automatic updates. ZDNet reports that this technology hasn't been enabled in Windows 8 because the software has not yet become "generally available" (GA). According to ZDNet, a Microsoft spokesperson said that Microsoft "will have a security update coming through Windows Update in the GA timeframe." This "General Availability" timeframe is 26 October.
However, Microsoft has offered the GA version for download to its MSDN and Technet subscribers since mid-August, and companies have had access to a 90-day trial version of Windows 8 Enterprise since then. Only a few days ago, Microsoft automatically updated Windows 8 to provide a browser selection as required by the EU.
In mid 2010, version 5 of Google Chrome was the first to make Flash Player an integral part of the browser and update it automatically. Both the stable version 21 of Chrome and the Windows 8 variant (version 23) of the free browser, which is available via the developer channel, use the current Flash Player 11.4.