Microsoft introduces several changes to Internet Explorer 10 in its Windows 8 operating system. You may for instance know that Windows 8 ships with two different Internet Explorer versions: first the regular Internet Explorer 10 that you can run on the desktop interface, and then the Metro Internet Explorer 10 that only runs on the startpage interface. That’s however not the only change, as Microsoft has integrated the Adobe Flash technology natively in the browser. This is similar to what Google has done i its Chrome browser. The benefit of this is that Flash is not integrated as a plugin so that it can run on the modern ui interface as well. It also means that Microsoft can distribute the Flash update at once to all of its users so that users are protected right away from threats.

One of the problems however is that Microsoft is now responsible for keeping the versions of Flash Player up to date in Internet Explorer to protect users from attacks targeting vulnerabilities in older version of the technology.

Adobe recently released an update to its Flash Player that resolved several security issues found in the player. Google distributed the update with Chrome, and other users may have received automatic updates or updated Flash Player manually. The only browser that has not received an update yet is Microsoft’s Internet Explorer 10 on Windows 8. Microsoft, for whatever reason, has not released an update yet that closes the security vulnerabilities in its integrated Flash Player. This in turn means that Windows 8 users who use IE10 to access flash contents in the browser are vulnerable to attacks targeting those resolved security vulnerabilities.

Ed Bott contacted Microsoft for a statement and received the following response:

Security is of course important to us, and we are working directly with Adobe to ensure that Windows 8 customers stay secure. We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.

This means that Microsoft will release an update around the October 26 release date of Windows 8 leaving users of the system vulnerable to attacks for more than two months.

It is recommended to avoid using Internet Explorer 10 to view Flash contents until the issue is fixed. The easiest way to make sure that this does not happen is to make a different browser the default browser on the system.

Source