Internet Explorer 10's bundled Flash leaves users exploitable

http://arstechnica.com/information-...r-10s-bundled-flash-leaves-users-exploitable/

 

So now all browsers come with flash? Security risk right there.

 

What about the Flash sandboxing, "protected mode"? I suppose I'll have to read more on this.

 

Not really. Security should be better when running plugins in the browser's sandboxed environment, the real advantage here though is the auto updating process and removing another thing for the user to worry/think about. Unfortunately the frequent updating isn't going to start until Windows 8 actually releases. Microsoft's version of flash is much more efficient, consuming less power, and is fully compatible with IE10's new Enhanced Protected Mode.

They don't clarify if this is on standard protected mode or enhanced protected mode. I wouldn't expect standard protected mode to help much.

 

https://www.computerworld.com/s/art...erable_to_active_Flash_exploits?taxonomyId=17

 

i would never use windows8, i am satisified with win7 and will not change in maybe 10 years from now on.

 

Flash vulnerabilities leave Windows 8 testers at risk.

 

Protect yourself from Flash attacks in Internet Explorer

 

And here we go again, to keep IE secure, disable everything. And it is not just because 8 is not released yet, Microsoft never release updates ASAP. Fail.

 

Yeah, because you know exactly what Microsoft is planning for flash updates, right? MS themselves have said the updates won't start until Windows 8 releases, but you know better?

I'll also repeat the fact that it still isn't clear if this is even exploitable using Enhanced Protected Mode.

 

From that article, note:

Whether they succeed or not is up to them and speculating on it with assumptions based on Microsoft's system patch history (patches which take a lot longer to test and can cause more issues than a simple plugin update) is pointless.

 

Got the update on the release preview too

 

Was it ever confirmed to work with protected mode?

 

Unfortunately no, which is the only part I was really interesting in knowing!

 

I'm not in the industry, so it's difficult to judge them. However, as a user, such information doesn't comfort me. Microsoft can't afford to look stupid with a new Windows release in the pipeline and competing browsers being as good as they currently are. Seven weeks seems to be an unnecessarily long time, and they were a bit foolish to ever even consider waiting until Windows 8 to be released to fix an issue like this. They already aren't doing themselves a favor, in my opinion of course, by shutting out Windows 7 users from the IE 10 testing process.

 

Microsoft has issued the following advisory:
http://technet.microsoft.com/en-us/security/advisory/2755801