Surprise! Microsoft Releases Critical Flash Patch

Who'd have thunk? Shortly after delaying February's security patches, Microsoft released a fix to address critical vulnerabilities in Adobe's Flash Player.

The patch is available for Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. Microsoft said the vulnerabilities affect Internet Explorer 10, Internet Explorer 11, and Edge (the browser that's supposed to give IE the boot once and for all). Anyone who uses these operating systems and browsers and hasn't disabled the Flash Player should install the security update as soon they can.

Microsoft explained how the vulnerabilities could be exploited in its security bulletin:

In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

It's a little trickier to exploit the vulnerabilities in the Windows 8-style user interface--Microsoft said attackers would first have to compromise sites on the Compatibility View list. Anyone else can use a variety of workarounds, from disabling the Flash Player in their browsers and Microsoft Office to restricting ActiveX controls in the same apps, to protect themselves from the security flaws. Microsoft provided instructions for all the workarounds on its website.

This patch comes as a bit of a surprise. Microsoft announced earlier this month that all of February's security patches would be released in March, instead. The company didn't offer a lot of information about the delay; it said only that it discovered "a last minute issue that could impact some customers and was not resolved in time for our planned updates today." Instead of just waiting on that one update, it decided to push off all of them.

Yet now it's released a patch for this critical vulnerability, even as Google revealed security flaws in other aspects of Windows via its Project Zero platform. It's not clear what's happening at Microsoft. The company delayed a bunch of updates, then allowed a vulnerability to go unaddressed for more than 90 days, then released a surprise patch for a problem with Flash.

Regardless, the patch can be downloaded via Windows Update, which will automatically download security fixes if it's enabled, or from the Microsoft Update Catalog.

This thread is closed for comments
    Your comment
  • junkeymonkey
    well , I just uninstall flash anyway and don't look back . hmmmm.... maybe why all these flash AD's don't work in these sites ?? then just a hand full of vid's don't work but I guess I did not need to see them anyway most work with ./ under html and play just fine

    haven't had flash installed on anything in a long time and cant say I miss it

    then I guess some are just stuck with it for ever and its security risks ?

    These instructions are NOT applicable to Flash Player included with Microsoft Edge or Internet Explorer on Windows 8 and later or with Google Chrome on all supported operating systems

    that foot note was recently added was not there last time I used there uninstaller , hmmmmmm.......... I guess you been 10'ed

    I guess in the nd I rather not have flash installed then trust Microsoft anymore one less crap form them is one less thing to take my computer over or cause added issues from doing so

    enjoy .
  • CaedenV
    I would love to get rid of flash and java entirely, but need it for work. 6 year old RAID controllers that use Java as the foundation of their monitoring software. Old (and new /sigh) camera systems that are managed by flash elements in a web browser. Old printers who use flash on their management pages... The sad thing is that this equipment isn't going away any time soon. The worse thing is that I just had a door system put in that uses both flash and java.

    I am not a sue-happy person; but we need some sort of class-action lawsuit to motivate these companies to get off of flash and java! These are dead and dying platforms with constant security holes being found! And we are stuck with the hardware and services that rely on these platforms for at least 10 years after the install. We need something like a FDA food label on software that says "this software contains flash and java which may contain security risks". Put a label like that on a camera or door system and see how many they sell! That will finally get these platforms to die!
  • SVstorm
    Why do I get these updates when I don't even have flash installed?