Windows 8 is the most vulnerable Windows OS, you can thank Flash for that

Microsoft’s Windows 8 platform has been tagged by security research firm Secunia as having the most vulnerabilities of any Windows platform on the market. As you can see in the chart above, it’s quite clear that, according to their research, that Windows 8 had more vulnerabilities than previous versions of Windows that are currently supported by Microsoft for 2013.

If you are wondering why Windows 8 tops the charts, even though Microsoft touts the platform as more secure than its predecessors, the answer is quite simple; Flash. Because Flash is now baked into the modern instance of IE, any Flash vulnerability can now be tied into Windows 8 as well.

This is certainly not a trend that Microsoft would like to see but the facts, are well, the facts. When Microsoft announced that Flash would be baked into the modern IE browser, knowing the history of Flash, this exact issue was raised many times.

Seeing that Microsoft is not directly responsible for the Flash code, this means that there is more room for vulnerabilities and the result is the chart above.

Flash has long had a history of being vulnerable and generally an insecure piece of software. With this latest report, it goes to show that Flash is causing Windows 8 to be less secure, in terms of vulnerabilities reported, than its predecessors.

When you compare the vulnerabilities across the Windows OS versions, you can see that XP, Vista and 7 are all at about the same point but Windows 8 nudges ahead by about 54 vulnerabilities. While you can’t directly say that the 54 additional vulnerabilities are related to Flash, we suspect that many of the additional areas of weakness are related to the Adobe software.

Will this report have any effect on the adoption of Windows 8? Probably not, but it certainly is not helping the platforms image either. Microsoft recently reported that 200 million licenses for Window 8 have been sold and while that is a massive number, it does trail that of Windows 7.

Source: Secunia | Thanks for the tip JamesJD!

Report a problem with article
Previous Story

Google reveals 'Project Ara' modular smartphone effort

Next Story

Report: 'Windows 8.1 with Bing' could be an experiment to offer Windows for free

96 Comments

View more comments

@hicario -- thanks it actually looks like a pretty nice tool for the (low) price. I don't mind scripting little things... it's more when I have to do something like put 100 dots onto a map (for example, of locations) that it gets tedious to do without a visual editor!

Mandosis said,
Anything you can do with flash you can do with HTML5 and JavaScript.

That's not really the issue. Some non-trivial things take a few minutes to build in Flash, and would take days to build in HTML5/JavaScript. It's not a capabilities problem -- it's a tools issue.

Compared to Visual Studio, Flash/Flex has a god-awful editor. However, it has tools that nothing other than Blend really comes close to. Even then, there are certain 2D and 3D functions that are just easy to do in Flash that might be technically possible in HTML5/JavaScript, but other than academic examples, nobody in their right mind will do manually.

Mandosis said,
Anything you can do with flash you can do with HTML5 and JavaScript.
How will you do this kind of job using HTML5?
http://youtu.be/h814ob7nCxo?t=1m6s
It is just one minute Flash job you know and that's using an old version of Flash. Current version allows more control about the way the shape is bending according to bones.
When you are saying "using HTML5 and JavaScript and JavaScript libraries just makes for a better experience", I have the feeling that you think every kind of animation is just a simple animated menu. A visual editor is needed because animators need onion skin tool, animation curves and so on. You can't really animate anything a little bit "advanced" using lines of code only.

1. How is this an OS vulnerability?
2. By this measure XP is the most secure version....except in reality infection rates of W7 & W8 computers are more than 5 times lower than XP.

notchinese said,
1. How is this an OS vulnerability?
2. By this measure XP is the most secure version....except in reality infection rates of W7 & W8 computers are more than 5 times lower than XP.

It is pretty unfair -- especially since I don't know many people with XP/Vista/7 who don't have Flash installed.

This article is pointless.

Technically ANYONE who installs Flash on ANY machine (any version of Windows, Mac, Android) are subjected to the same vulnerabilities because of Flash. Just because it's bundled with Windows, doesn't make Windows 8 'the most vulnerable'... everyone installs Flash at some point, so everyone is subjected to the same vulnerabilities.

j2006 said,
This article is pointless.

Technically ANYONE who installs Flash on ANY machine (any version of Windows, Mac, Android) are subjected to the same vulnerabilities because of Flash. Just because it's bundled with Windows, doesn't make Windows 8 'the most vulnerable'... everyone installs Flash at some point, so everyone is subjected to the same vulnerabilities.

+1

but for tech "journalists" a misleading article such as this one is rewarded with more traffic, and more money!

Seriously why are their statistics so confusing and unbacked? If they knew about vulnerabilities why not report them?

Internet explorer 126 vulnerabilities and they claim IE has 99% marketshare and that Google Chrome has 60% marketshare, Firefox 63% they really need to learn how % works.
Google Chrome 245 vulnerabilities - chrome has no flash built in?

As the Flash vulnerabilities count towards the OS in Win 8, shouldn't we see a lower number for 3rd party programs in the second chart?

dodgetigger said,
As the Flash vulnerabilities count towards the OS in Win 8, shouldn't we see a lower number for 3rd party programs in the second chart?

well, if you install Flash for Firefox, that's a separate component that need to be patched as well.

same for chrome.

so yes, they are counting the same vulnerability several times.

good thing that Microsoft didn't include chrome or Firefox in Windows instead of IE though!

that would have made even more flaws!
IE: 126 Flaws
Firefox: 270 flaws
chrome: 245 flaws

Was the point of Flash integration to just help the 'consumer' find it easier to watch his/her favourite videos?

Because I thought HTML5 was the new standard? Or is it just that a large amount of videos on the internet are still Flash based?

If the last question is true, then is it possible to convert or no?

suprNOVA said,
Was the point of Flash integration to just help the 'consumer' find it easier to watch his/her favourite videos?

Because I thought HTML5 was the new standard? Or is it just that a large amount of videos on the internet are still Flash based?

If the last question is true, then is it possible to convert or no?

there is no cross browser compatible implementation of DRMs support.

since DRMs are mandatory for "premium content" (video on demand, music streaming, ...), there is no way to do that without Flash player or silverlight.

on the mobile front, services like Netflix, Hulu, ... don't work in the web browser because of the lack of flash player support.

that's why these services are forced to develop proprietary mobile apps to support video/audio streaming with DRM.

Ummm, you may want to rethink your thoughts. When flash wasn't baked in to IE people would not update their flash components, thus be extremely vulnerable to hacks and malware. Now since it's baked-in it gets updated right away which helps everyone become less vulnerable. Everyone needs flash until HTML5 video begins to dominate.

Flash is great, but that's what they get for putting it in themselves instead of having users choose whether to install it or not as a plugin.

I've never felt ill effects from flash ever since it's inception, but Java has given me grief for years and years and years. (I use Java anyway because of some games like PSP Emulator etc..)

Such ill effects include automatic redirects from rogue ads on what are supposed to be trusted websites, when those fake antiviruses pop up in the corner, redirects, trap websites that don't let you click the back button and some droppers/injectors etc.. luckily I do critical browsing on a virtual machine before the real thing...

C'mon, how can you say no to this cute clip made entirely in flash?
http://hugclub.net/previews/previewlove1.html

Just to confirm.... Windows XP is more secure than Windows 8?

Now I remember why I stopped using that Secunia software.

anyone know how the updates for flash work since it's built in?

i know flash can be insecure but adobe thankfully is pretty good at patching them asap for the most part. (makes me think of windows overall. when the majority uses something that's what is looked into and attacked the most.)

how long does it take to push into windows? i'm thinking the overall problem may not be flash itself but the delay in updating? could be wrong.

Hello,

Secunia is a dozen-year-old firm that is well-known and well-respected in the security industry.

Information on Adobe security issues can be found in the Adobe Product Security Incident Response Team Blog at http://blogs.adobe.com/psirt/. Looking the blog posts over the past year reveals they are publishing a little over two blog posts per month, although some of those may contain 3-4 security bulletins.

Visiting NIST's National Vulnerability Database and doing a search on "Adobe Flash" for the last three months returns ten reports: http://web.nvd.nist.gov/view/v...ype=last3months&cves=on.

This is not surprising given the popularity of Adobe's software.

What I am more interested in is whether Windows 9 (or whatever that version is called) will bundle a copy of Adobe Flash or not.

Regards,

Aryeh Goretsky

I am confused here. What is the difference between running Windows 7, IE 11, and Flash directly from Adobe vs running Windows 8 and IE 11 stock?

Commenting is disabled on this article.