Skip to main content

Surprise! Microsoft Releases Critical Flash Patch

Who'd have thunk? Shortly after delaying February's security patches, Microsoft released a fix to address critical vulnerabilities in Adobe's Flash Player.

The patch is available for Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016. Microsoft said the vulnerabilities affect Internet Explorer 10, Internet Explorer 11, and Edge (the browser that's supposed to give IE the boot once and for all). Anyone who uses these operating systems and browsers and hasn't disabled the Flash Player should install the security update as soon they can.

Microsoft explained how the vulnerabilities could be exploited in its security bulletin:

In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked 'safe for initialization' in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by opening an attachment sent through email.

It's a little trickier to exploit the vulnerabilities in the Windows 8-style user interface--Microsoft said attackers would first have to compromise sites on the Compatibility View list. Anyone else can use a variety of workarounds, from disabling the Flash Player in their browsers and Microsoft Office to restricting ActiveX controls in the same apps, to protect themselves from the security flaws. Microsoft provided instructions for all the workarounds on its website.

This patch comes as a bit of a surprise. Microsoft announced earlier this month that all of February's security patches would be released in March, instead. The company didn't offer a lot of information about the delay; it said only that it discovered "a last minute issue that could impact some customers and was not resolved in time for our planned updates today." Instead of just waiting on that one update, it decided to push off all of them.

Yet now it's released a patch for this critical vulnerability, even as Google revealed security flaws in other aspects of Windows via its Project Zero platform. It's not clear what's happening at Microsoft. The company delayed a bunch of updates, then allowed a vulnerability to go unaddressed for more than 90 days, then released a surprise patch for a problem with Flash.

Regardless, the patch can be downloaded via Windows Update, which will automatically download security fixes if it's enabled, or from the Microsoft Update Catalog.