Adobe’s Flash is a favorite target for malware, but Microsoft is now setting IE 10 to run browser-based Flash by default.
Plus: Updates for Internet Explorer, Silverlight, Visio, and OneNote — and a slew of fixes for Office 2013.
Microsoft makes IE 10 more Flash-friendly
This week’s top security headline isn’t the critical update (discussed below) for most current versions of Internet Explorer; it’s the Internet Explorer development team’s about-face on how Flash runs in IE 10. And it’s not a change for the better, in my opinion.
When Microsoft shipped Windows 8 and Windows RT, IE 10–based Flash ran by default only on listed sites that met Microsoft’s standards for the touch-centric “Metro” UI. Now, as noted in the March 11 IEBlog post, an updated IE 10 will allow Flash to run automatically on all sites except those listed as incompatible.
Microsoft believes the change will give Win8/RT users a better “New Windows” experience — especially on Windows RT tablets. For users, however, it raises the potential risk of infection from Flash-based, zero-day attacks. (In IE 10, Flash updates are handled via Windows Updates. You can’t go to Adobe’s Flash site and update it yourself.)
The day before Microsoft made the change, Brian Krebs posted an interesting and helpful blog on how to set up Flash as “click-to-play” in popular browsers. His blog included a description of IE 10’s original Flash white list. Now, that part of his blog is no longer accurate.
What to do: KB 2809289 (MS13-021) — the security update for all versions of Internet Explorer except IE 10 SP1 for Win7 — is rated critical and should be installed immediately. The change in how IE 10 handles Flash might be included in that update.