Adobe talks about the security features with Flash and Windows 8/IE10

When Microsoft developed the Modern version of Internet Explorer 10 for Windows 8, it also decided to do away with support for third party plug-ins. However, Microsoft also worked with Adobe to integrate Flash support in that same version of IE, without the traditional plug-in model. This week, Adobe offered up some more information about that partnership, specifically on the security improvements that have been put into Flash for IE10.

In a blog post, Adobe stated that having Flash updated for IE10 via Windows Update is a big help in terms of security, saying that "enterprises can now distribute Flash Player updates for Windows 8 through their existing Windows OS patch management workflows." The addition of Enhanced Protected Mode in IE10 also helps make the browser, and Flash Player, more secure. Adobe says:

One is that all content processes will run as 64-bit processes. This means that Flash Player will also be run as a 64-bit process which will make heap sprays more difficult. The larger address space makes it more difficult to predict the memory location of the spray with a decent statistical likelihood.

IE10 on Windows 8 uses AppContainers, which is supposed to limit both read and write access to the OS. Because Flash Player has been integrated into IE10, it also is protected by the same AppContainers features. Microsoft has also added Flash Player into IE11 for the upcoming Windows 8.1 update. Adobe says it will continue to work with Microsoft to make IE and Flash more secure for its users.

Source: Adobe via WinBeta.org | Image via Microsoft

Report a problem with article
Previous Story

Aio Wireless to be available for US in September with Nokia Lumia 620

Next Story

Magic 2013 and Rainbow Six Vegas to be September's free Xbox Live Gold games

10 Comments

Commenting is disabled on this article.

Ok, so now what do we do about java?

Maybe Oracle can embed an auto-updater into the Ask.com toolbar so all these kids that play Minecraft don't mess up mommies computer downloading new worlds from untrusted sources.

jimmyfal said,
Ok, so now what do we do about java?

Maybe Oracle can embed an auto-updater into the Ask.com toolbar so all these kids that play Minecraft don't mess up mommies computer downloading new worlds from untrusted sources.

Shoot it in the head and uninstall it...

Sadly there are several sites/schools/businesses that are still using Java. I hope that the renewed partnership with Oracle and Microsoft will bring Java back into the fold with Microsoft assisting to get security under control and add an additional sandbox layer of protection. (Trying to remember if the Ellison interview on CBS was covered here on Neowin.)

It is best to keep Java disabled and only enable it when you absolutely need it. This includes not letting it run in the background/startup. It helps to run it inside IE over other browsers, as it does get a bit of protection as it runs in a semi-limited sandbox with a custom broker.


Side Notes...

In 2012, the top ways malware were installed on PCs include Chrome/Webkit, Firefox, Java, Reader, and Flash. (Java and Flash primarily though Chrome and Firefox) The Webkit exploits also worked through iTunes that uses the Safari Webkit engine.

The more you can limit the use of these specific applications the safer your experience will be. If you are helping users, stop installing Chrome or Firefox as their primary browser, as IE9/10 are significantly safer, even though it feels counterintuitive. If the need an alternative browser, pick one and tell them to only run it when a site is coded to fail under IE.

Mobius Enigma said,

Shoot it in the head and uninstall it...

Sadly there are several sites/schools/businesses that are still using Java. I hope that the renewed partnership with Oracle and Microsoft will bring Java back into the fold with Microsoft assisting to get security under control and add an additional sandbox layer of protection. (Trying to remember if the Ellison interview on CBS was covered here on Neowin.)

It is best to keep Java disabled and only enable it when you absolutely need it. This includes not letting it run in the background/startup. It helps to run it inside IE over other browsers, as it does get a bit of protection as it runs in a semi-limited sandbox with a custom broker.


Side Notes...

In 2012, the top ways malware were installed on PCs include Chrome/Webkit, Firefox, Java, Reader, and Flash. (Java and Flash primarily though Chrome and Firefox) The Webkit exploits also worked through iTunes that uses the Safari Webkit engine.

The more you can limit the use of these specific applications the safer your experience will be. If you are helping users, stop installing Chrome or Firefox as their primary browser, as IE9/10 are significantly safer, even though it feels counterintuitive. If the need an alternative browser, pick one and tell them to only run it when a site is coded to fail under IE.


The most secure software in the world will not protect people from their own stupidity, so telling people to run one browser over another won't help if they still stupidly click on every ad promising free smileys.

SharpGreen said,

The most secure software in the world will not protect people from their own stupidity, so telling people to run one browser over another won't help if they still stupidly click on every ad promising free smileys.

Except when the free smileys allow malicious code to run on one browser and simply do not appear in another due to smartscreen, or if they do appear don't do anything when clicked as they malicious code can't touch the FS of the OS.

IE does 'save' less informed users from themselves far more than Chrome or Firefox.

Mobius Enigma said,

Except when the free smileys allow malicious code to run on one browser and simply do not appear in another due to smartscreen, or if they do appear don't do anything when clicked as they malicious code can't touch the FS of the OS.

IE does 'save' less informed users from themselves far more than Chrome or Firefox.


Except when said malware pops up an endless stream of UAC dialogs and doesn't stop till you click Allow. Also IE protected mode doesn't 100% prevent FS access. It only prevents access to sensitive areas of the FS.

SharpGreen said,

Except when said malware pops up an endless stream of UAC dialogs and doesn't stop till you click Allow. Also IE protected mode doesn't 100% prevent FS access. It only prevents access to sensitive areas of the FS.

That was true in the old protected mode (blocked writes but not reads to user data, mostly for plug-in compatibility). However, Win8's enhanced protected mode (always on in metro IE, and now the default on desktop in 8.1) runs in AppContainer, with no access to anything outside of it. This goes beyond files as ACs get their own sandboxed object namespace in the kernel. Really takes the sandboxing implementation to a new level.

SharpGreen said,

Except when said malware pops up an endless stream of UAC dialogs and doesn't stop till you click Allow. Also IE protected mode doesn't 100% prevent FS access. It only prevents access to sensitive areas of the FS.

It doesn't prevent 100% FS; however, you are underestimating how it works if you think that IE itself can 'touch' the FS without permissions.

When IE needs to read its own 'favorites' 'cookies' 'history' from the FS, it has to obtain a security token from its own broker with virtual FS access that also must obtain an NT kernel level ACL FS token to the actual 'object' (file/folder).

jimmyfal said,
Ok, so now what do we do about java?

Maybe Oracle can embed an auto-updater into the Ask.com toolbar so all these kids that play Minecraft don't mess up mommies computer downloading new worlds from untrusted sources.

If there is one thing I loath more than software bugs it is companies like Oracle trying to monetise Java by using of ramming crapware down the collective throat of end users - I'll see Oracle taking the privacy and security of end users computers seriously when they firstly stop bundling crapware.

Mr Nom Nom's said,

If there is one thing I loath more than software bugs it is companies like Oracle trying to monetise Java by using of ramming crapware down the collective throat of end users - I'll see Oracle taking the privacy and security of end users computers seriously when they firstly stop bundling crapware.

If you go back to the early 90s history of Sun/Oracle, and their joint political moves in the late 90s, they do not have a history of caring for customers. Expecting them to play nice after they have combined efforts is unlikely.

The only hope is that Oracle's hatred of Google manifests into a controlled alliance with Microsoft and follows more of Microsoft's rules of not hurting consumers for pure profit.

That's good that they're doing something about their past track record - would like to see an improvement in stability too whilst they're working on it. Embedded videos are screwing up infrequently.