Zero-day Flash Fix Rolling Out Now for IE10 and IE11
A zero-day flaw in Adobe Flash was discovered this week. Microsoft is taking steps today to deliver a security update for IE10 and IE11.
January 23, 2015
Adobe Flash Player was caught with yet another zero-day flaw this week. Adobe released security fixes yesterday, providing a patch and releasing guidance for updating on affected systems. Affected systems include the usual gang including Windows, Mac, and Linux and any of the following software versions.
Affected software versions:
Adobe Flash Player 16.0.0.257 and earlier versions
Adobe Flash Player 13.0.0.260 and earlier 13.x versions
Adobe Flash Player 11.2.202.429 and earlier versions for Linux
This patch is important because and attacker…
Could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website
Could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine
Could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements
Starting with Windows 8 and Windows Server 2012, Microsoft started including embedded Flash Player support in IE10. And, as both operating systems were updated and IE11 was released, this continued. But, this means that when Adobe releases security updates for its Flash Player components, Microsoft has to follow up with a patch of its own to ensure IE10 and IE11 match the updated security.
To warn customers, Microsoft put up a Security Advisory shortly after Adobe released its patches. Security Advisory 2755801 is online to view here: Microsoft Security Advisory 2755801. Today, the update is already out the door and well on its way down the Windows Update wires. I received my update first thing this morning.
For those companies staging delivery of the update, Microsoft has made it available for download in the Support Center. It's available for both IE10 and IE11 running on Windows 8 for 32-bit Systems, Windows 8 for 64-bit Systems, Windows Server 2012, Windows RT, Windows 8.1 for 32-bit Systems, Windows 8.1 for 64-bit Systems, Windows Server 2012 R2, and Windows RT 8.1.
Incidentally Server Core for Windows Server 2012 and Windows Server 2012 R2 are not affected.
The downloads are available from here: Microsoft security advisory: Update for vulnerabilities in Adobe Flash Player in Internet Explorer: January 22, 2015
About the Author
You May Also Like