Windows 8 is the most vulnerable Windows OS, you can thank Flash for that

Microsoft’s Windows 8 platform has been tagged by security research firm Secunia as having the most vulnerabilities of any Windows platform on the market. As you can see in the chart above, it’s quite clear that, according to their research, that Windows 8 had more vulnerabilities than previous versions of Windows that are currently supported by Microsoft for 2013.

If you are wondering why Windows 8 tops the charts, even though Microsoft touts the platform as more secure than its predecessors, the answer is quite simple; Flash. Because Flash is now baked into the modern instance of IE, any Flash vulnerability can now be tied into Windows 8 as well.

This is certainly not a trend that Microsoft would like to see but the facts, are well, the facts. When Microsoft announced that Flash would be baked into the modern IE browser, knowing the history of Flash, this exact issue was raised many times.

Seeing that Microsoft is not directly responsible for the Flash code, this means that there is more room for vulnerabilities and the result is the chart above.

Flash has long had a history of being vulnerable and generally an insecure piece of software. With this latest report, it goes to show that Flash is causing Windows 8 to be less secure, in terms of vulnerabilities reported, than its predecessors.

When you compare the vulnerabilities across the Windows OS versions, you can see that XP, Vista and 7 are all at about the same point but Windows 8 nudges ahead by about 54 vulnerabilities. While you can’t directly say that the 54 additional vulnerabilities are related to Flash, we suspect that many of the additional areas of weakness are related to the Adobe software.

Will this report have any effect on the adoption of Windows 8? Probably not, but it certainly is not helping the platforms image either. Microsoft recently reported that 200 million licenses for Window 8 have been sold and while that is a massive number, it does trail that of Windows 7.

Source: Secunia | Thanks for the tip JamesJD!

Report a problem with article
Previous Story

Google reveals 'Project Ara' modular smartphone effort

Next Story

Report: 'Windows 8.1 with Bing' could be an experiment to offer Windows for free

96 Comments

Commenting is disabled on this article.

I am confused here. What is the difference between running Windows 7, IE 11, and Flash directly from Adobe vs running Windows 8 and IE 11 stock?

Hello,

Secunia is a dozen-year-old firm that is well-known and well-respected in the security industry.

Information on Adobe security issues can be found in the Adobe Product Security Incident Response Team Blog at http://blogs.adobe.com/psirt/. Looking the blog posts over the past year reveals they are publishing a little over two blog posts per month, although some of those may contain 3-4 security bulletins.

Visiting NIST's National Vulnerability Database and doing a search on "Adobe Flash" for the last three months returns ten reports: http://web.nvd.nist.gov/view/v...ype=last3months&cves=on.

This is not surprising given the popularity of Adobe's software.

What I am more interested in is whether Windows 9 (or whatever that version is called) will bundle a copy of Adobe Flash or not.

Regards,

Aryeh Goretsky

anyone know how the updates for flash work since it's built in?

i know flash can be insecure but adobe thankfully is pretty good at patching them asap for the most part. (makes me think of windows overall. when the majority uses something that's what is looked into and attacked the most.)

how long does it take to push into windows? i'm thinking the overall problem may not be flash itself but the delay in updating? could be wrong.

Just to confirm.... Windows XP is more secure than Windows 8?

Now I remember why I stopped using that Secunia software.

I've never felt ill effects from flash ever since it's inception, but Java has given me grief for years and years and years. (I use Java anyway because of some games like PSP Emulator etc..)

Such ill effects include automatic redirects from rogue ads on what are supposed to be trusted websites, when those fake antiviruses pop up in the corner, redirects, trap websites that don't let you click the back button and some droppers/injectors etc.. luckily I do critical browsing on a virtual machine before the real thing...

C'mon, how can you say no to this cute clip made entirely in flash?
http://hugclub.net/previews/previewlove1.html

Flash is great, but that's what they get for putting it in themselves instead of having users choose whether to install it or not as a plugin.

Ummm, you may want to rethink your thoughts. When flash wasn't baked in to IE people would not update their flash components, thus be extremely vulnerable to hacks and malware. Now since it's baked-in it gets updated right away which helps everyone become less vulnerable. Everyone needs flash until HTML5 video begins to dominate.

Was the point of Flash integration to just help the 'consumer' find it easier to watch his/her favourite videos?

Because I thought HTML5 was the new standard? Or is it just that a large amount of videos on the internet are still Flash based?

If the last question is true, then is it possible to convert or no?

suprNOVA said,
Was the point of Flash integration to just help the 'consumer' find it easier to watch his/her favourite videos?

Because I thought HTML5 was the new standard? Or is it just that a large amount of videos on the internet are still Flash based?

If the last question is true, then is it possible to convert or no?

there is no cross browser compatible implementation of DRMs support.

since DRMs are mandatory for "premium content" (video on demand, music streaming, ...), there is no way to do that without Flash player or silverlight.

on the mobile front, services like Netflix, Hulu, ... don't work in the web browser because of the lack of flash player support.

that's why these services are forced to develop proprietary mobile apps to support video/audio streaming with DRM.

As the Flash vulnerabilities count towards the OS in Win 8, shouldn't we see a lower number for 3rd party programs in the second chart?

dodgetigger said,
As the Flash vulnerabilities count towards the OS in Win 8, shouldn't we see a lower number for 3rd party programs in the second chart?

well, if you install Flash for Firefox, that's a separate component that need to be patched as well.

same for chrome.

so yes, they are counting the same vulnerability several times.

good thing that Microsoft didn't include chrome or Firefox in Windows instead of IE though!

that would have made even more flaws!
IE: 126 Flaws
Firefox: 270 flaws
chrome: 245 flaws

Seriously why are their statistics so confusing and unbacked? If they knew about vulnerabilities why not report them?

Internet explorer 126 vulnerabilities and they claim IE has 99% marketshare and that Google Chrome has 60% marketshare, Firefox 63% they really need to learn how % works.
Google Chrome 245 vulnerabilities - chrome has no flash built in?

This article is pointless.

Technically ANYONE who installs Flash on ANY machine (any version of Windows, Mac, Android) are subjected to the same vulnerabilities because of Flash. Just because it's bundled with Windows, doesn't make Windows 8 'the most vulnerable'... everyone installs Flash at some point, so everyone is subjected to the same vulnerabilities.

j2006 said,
This article is pointless.

Technically ANYONE who installs Flash on ANY machine (any version of Windows, Mac, Android) are subjected to the same vulnerabilities because of Flash. Just because it's bundled with Windows, doesn't make Windows 8 'the most vulnerable'... everyone installs Flash at some point, so everyone is subjected to the same vulnerabilities.

+1

but for tech "journalists" a misleading article such as this one is rewarded with more traffic, and more money!

1. How is this an OS vulnerability?
2. By this measure XP is the most secure version....except in reality infection rates of W7 & W8 computers are more than 5 times lower than XP.

notchinese said,
1. How is this an OS vulnerability?
2. By this measure XP is the most secure version....except in reality infection rates of W7 & W8 computers are more than 5 times lower than XP.

It is pretty unfair -- especially since I don't know many people with XP/Vista/7 who don't have Flash installed.

A lot of the problems with security comes from the very capable scripting engine in flash. It's fair to say it is a "legacy" tech and that it is a power hog on platforms other than Windows but you really can't say it "just plain sucks for everything". That is demonstrably incorrect.

Mandosis said,
This is why HTML5 is becoming a standard. Flash just plain sucks for everything.

I don't know if you've ever tried to build anything with lots of moving parts in HTML5, but Flash and Silverlight are MUCH easier to animate than HTML5. That's not a shortcoming of HTML5, but rather the tools. At this point, there aren't timeline/canvas visual editing tools, so designers spend a lot of time on fancy javascript and troubleshooting rather than expressing their creativity.

There are also certain animation actions that exist in HTML5/jQuery, but have tons more control in Flash or Silverlight.

I have learned how to use flash. Sure its easier to drag and drop stuff but using HTML5 and JavaScript and JavaScript libraries just makes for a better experience.

hicario said,
You can look at this one -> MotionArtist
http://motionartist.smithmicro.com/index.html

There are a couple of tools like this which are helpful for the animation side of things (especially to do slideshows or splash pages), but it lacks the scripting end, which is pretty critical to any type of functionality. With Flash (or Silverlight), you can pick an object on the canvas/timeline, give it some scripting actions -- and then wrap all that up and insert it into another larger canvas. You can tween one object into another.

Don't get me wrong -- I think HTML5 and jQuery are great, and superior for a many tasks. It's just that there isn't a tool comparable to Flash Professional, yet. Practically, most things that most people want can be accomplished with HTML5 -- but it takes longer and costs more.

Talys said,

There are a couple of tools like this which are helpful for the animation side of things (especially to do slideshows or splash pages), but it lacks the scripting end, which is pretty critical to any type of functionality. With Flash (or Silverlight), you can pick an object on the canvas/timeline, give it some scripting actions -- and then wrap all that up and insert it into another larger canvas. You can tween one object into another.

Don't get me wrong -- I think HTML5 and jQuery are great, and superior for a many tasks. It's just that there isn't a tool comparable to Flash Professional, yet. Practically, most things that most people want can be accomplished with HTML5 -- but it takes longer and costs more.

Oh, I perfectly agree with you, I just pointed a nice tool with "timeline/canvas visual editing tools" that I know (and use).

Now the HTML5 is very limited compared to what you can do with Flash. Flash can use bones+advanced deformation to animate a character when such technology is mostly sci-fi with HTML5. Even when you use MotionArtist using 3D camera, exporting to HTML5 removes the tilting of a layer (z axis). HTML5 is very primitive for now.
I am not even sure there is a method with HTML5 to use the benefit of PNG (transparency) + the compression of a JPEG image when animating a scene like with the 3D camera (and preserving good performance). It is pretty easy to achieve that with Flash, but with MotionArtist, I need to use an heavy PNG for any transparent layer which makes the whole scene much more heavier than in Flash.

@hicario -- thanks it actually looks like a pretty nice tool for the (low) price. I don't mind scripting little things... it's more when I have to do something like put 100 dots onto a map (for example, of locations) that it gets tedious to do without a visual editor!

Mandosis said,
Anything you can do with flash you can do with HTML5 and JavaScript.

That's not really the issue. Some non-trivial things take a few minutes to build in Flash, and would take days to build in HTML5/JavaScript. It's not a capabilities problem -- it's a tools issue.

Compared to Visual Studio, Flash/Flex has a god-awful editor. However, it has tools that nothing other than Blend really comes close to. Even then, there are certain 2D and 3D functions that are just easy to do in Flash that might be technically possible in HTML5/JavaScript, but other than academic examples, nobody in their right mind will do manually.

Mandosis said,
Anything you can do with flash you can do with HTML5 and JavaScript.
How will you do this kind of job using HTML5?
http://youtu.be/h814ob7nCxo?t=1m6s
It is just one minute Flash job you know and that's using an old version of Flash. Current version allows more control about the way the shape is bending according to bones.
When you are saying "using HTML5 and JavaScript and JavaScript libraries just makes for a better experience", I have the feeling that you think every kind of animation is just a simple animated menu. A visual editor is needed because animators need onion skin tool, animation curves and so on. You can't really animate anything a little bit "advanced" using lines of code only.

Isn,t secuna the same company that states IE 6 more secure than Firefox? I think we know the validity. XP also is the most secure OS ever!!

So with XP and IE 6 I should be secure and good to go! After all there are 0 aslr, dep, sandbox vulnerabilities with XP and IE 6.

... Disclaimer that ancient software stack has neither of these.

pratnala said,
I don't think they said IE 6 is more secure than Firefox. They are quite a reputed security firm AFAIK.


well, IE6 had less security flaws than Firefox or chrome over the last decade.

but IE6 doesn't support ASLR (xp doesn't support it), and DEP is disabled by default, which make flaws easy to exploit.

If you force DEP on IE6, IE6 is probably more secure than Firefox on Windows XP (past statistics tend to show that fewer new flaws are discovered on IE6 each month than on competitors' browsers).

Care to enlighten why WIndows XP/Vista/7 computers with flash installed isn't as vulnerable?
I think i'm mixing up some things here

Here's what i think
Chances are many people still install flash as there are stuff/sites still running on this.
Isn't the code similar just that Microsoft help you bake it into the OS?

It is, but that's not a requirement. By nature of having Flash bundled, any Windows 8 machine running IE is immediately vulnerable to issues that they may otherwise not be vulnerable too.

This is particularly key on work computers where Flash may not even be desirable to install, but now both Chrome and IE force it upon you (granted, like most point out, both sandbox Flash, which provides a lot of risk mitigation, but it's only as good as the sandboxes).

The author of this failed to say that Flash is baked into the modern version of IE, not desktop. So since XP, Vista, and 7 don't use modern apps they aren't counted against them, unless of course you go ahead and install flash yourself. It should be noted that modern apps are sandboxed so it makes these vulnerabilities pretty negligible.

It should also be noted that installing Flash and enabling flash on your desktop browsers (desktop IE, Chrome, and FF) makes you far more susceptible to these vulnerabilities than using Modern IE. Reason being is that flash is sandboxed, but it is sandboxed within itself, making it only 1 layer between flash and your OS. Modern IE has flash sandboxed within modern IE, making it 2 layers until it hits the OS.

Its baked into the MODERN instance of IE, not the desktop version, this runs in a sandbox along with flash.

I'm not saying this is absolute protection but the sandbox will skew the figures above since its not simply flash running in IE, its flash running in IE inside the modern app sandbox and only has hooks into the OS using a limited set of API's.

Lord Method Man said,
Isn't it baked into the Desktop IE as well? I never had to install Flash as an addon in Windows 8.1

I believe Windows 8 comes with flash, but it is not baked into desktop IE.

contextfree said,
Yes

Sure is on the desktop side.
Most people I know, and assume on here actually use all of the main browsers at some point which causes adobe installer to overwrite the built in desktop plugin.

This happened to me when I needed flash support in Chrome/Firefox/Opera.
Now Desktop IE uses Adobe provided plugin.

I am still confused why Microsoft decided to bundle Flash at all. It is one of those things that I just don't see it as needing to be baked in.

LogicalApex said,
I am still confused why Microsoft decided to bundle Flash at all. It is one of those things that I just don't see it as needing to be baked in.

emphasis is needed in the article, to make clear its baked into the modern IE app, not desktop. Its baked in because you cant install plugins to the modern ie app, and the app runs in a sandbox protecting the system from these vulnerabilities

I am fairly sure that they did it so that it could be included with IE on their ARM devices, which they expected to pick up a lot more steam to compete with the iPad.

It is a pretty huge advantage to be able to play Flash based content (e.g., TV shows on Hulu) on the Surface rather than being forced to download and pay for an app on the iPad (Hulu Plus).

With that said, IE still sucks because they refuse to provide a plugin architecture similar to Chrome and Firefox. As a result, there is no way to conveniently enable and disable Flash support (or run AdBlock) on a per-site basis. The only sites that I am willing to run Flash on are those that [legally] host TV shows, like CWTV (e.g., Arrow), CBS (e.g., NCIS), and Hulu (pretty much everything else... except ABC Family).

The nicest benefit about Microsoft and Google bundling Flash is that you get frequent updates to Flash. The bad thing about it is that you have Flash forced upon you.

duddit2 said,

emphasis is needed in the article, to make clear its baked into the modern IE app, not desktop. Its baked in because you cant install plugins to the modern ie app, and the app runs in a sandbox protecting the system from these vulnerabilities

Rubbish. They could have not baked it in and allowed you to download it. Even if it was a notice that sent the user to the store to install the MS version that was specially crafted to install.

Baking it in is another security vector that needs to be accounted for and users don't get the choice to say yes or not.

No "sandbox" is more secure than not having the vector in the first place...

Its pretty Simple. When Adobe finds bugs.. they release an update and its just easier facilitated via Windows update.. Like the last exploit adobe released a patch I got it via Windows update same day.

That said I normally don't keep Flash enabled in IE11 anyway, I also disable ActiveX, run the Desktop browser in Enhanced Protected Mode+64bit processes and use EasyList TPL& enable SmartScreen. Block 3rd party cookies by default. AND I tick the box that disables any Third-party plugins from running

I'm fairly confident in IE11 at this point

Also "I am still confused why Microsoft decided to bundle Flash at all."

Windows 8.1 is a do it all OS, on any device and form factor... It runs on Desktop, It runs Full Websites, Full Websites today still use Flash and so its included

Plus, Since its available my Venue 8 Pro tablet is able to do everything'

As well, Saying Windows 8.1 had more vulns is disingenuous as that's on Adobe not Microsoft, they are interwoven with Windows update but to my mind that actually Helps users keep up-to-date without thinking so long as Adobe stays on top of their game

Edited by dingl_, Feb 27 2014, 5:38pm :

pickypg said,
With that said, IE still sucks because they refuse to provide a plugin architecture similar to Chrome and Firefox.

Except that Chrome and Firefox are both removing the plugin architecture and soon you will only be able to run "whitelisted" plugins.

pickypg said,
I am fairly sure that they did it so that it could be included with IE on their ARM devices, which they expected to pick up a lot more steam to compete with the iPad.

It is a pretty huge advantage to be able to play Flash based content (e.g., TV shows on Hulu) on the Surface rather than being forced to download and pay for an app on the iPad (Hulu Plus).

With that said, IE still sucks because they refuse to provide a plugin architecture similar to Chrome and Firefox.

extensions are a bad thing, and it's great that IE on WindowsRT no longer support them.

malicious extensions can do as much harm as many malwares (inject ads, steal passwords, ...)

malicious extensions can even work on chrome OS, despite popular beliefs that chromeOS is not vulnerable to malwares. Well, it is, because of extensions support.

http://arstechnica.com/securit...send-adware-filled-updates/


As a result, there is no way to conveniently enable and disable Flash support (or run AdBlock) on a per-site basis. The only sites that I am willing to run Flash on are those that [legally] host TV shows, like CWTV (e.g., Arrow), CBS (e.g., NCIS), and Hulu (pretty much everything else... except ABC Family).

The nicest benefit about Microsoft and Google bundling Flash is that you get frequent updates to Flash. The bad thing about it is that you have Flash forced upon you.

that's wrong.

just open the settings, safety menu in IE. Then select "ActiveX Filtering".

and you're done. No 3rd party extension to install. IE will disable Flash by default, and let you enable it on a per-site basis. Just click the blue crossed circle in the address bar when you want to enable it.

link8506 said,
extensions are a bad thing, and it's great that IE on WindowsRT no longer support them.
Extensions are a bad thing for users that are already going to be vulnerable to issues, but they are a boon for the rest of us. The only two extensions that I use make my browsing experience a lot safer: AdBlock and FlashControl. By blocking Flash, I will avoid 99% of browser based issues.

The exact same scenario can play out with applications and apps on phones with extensions being purchased by malware producers, but we're not running away from them for the obvious reason: it's worth the risk.

link8506 said,
that's wrong.
That is not remotely the same quality of service that the extensions can provide. I can enable Flash on a per-site basis or a per-object basis (e.g., avoid loading trojan-riddled, Flash-based ads while still playing a specific video).

More importantly, I can also block ads separately using AdBlock, which will block the majority of browser-born viruses, particularly when combined with FlashControl.

greenwizard88 said,
Except that Chrome and Firefox are both removing the plugin architecture and soon you will only be able to run "whitelisted" plugins.
I'm not sure that I see a problem with this, as long as whitelists are maintained like app stores.

Works fine in both desktop and modern. I'm running IE 11.

The only reason why it's not recommended is because the bar is no longer enabled by default.

It seems to work by changing the flash control to unapproved.

Edited by Joe User, Feb 27 2014, 5:31pm :

Just opening up togflash.exe in notepad shows how it works. It disables the flash control in IE via a few registry settings.

It's about as elegant as using a power saw to slice bread, it works fine, but it's a bit heavy.

Other alternatives are to disable flash via group policy, or use ActiveX filtering for more granular options.

Pluto is a Planet said,
I just use Firefox and it does the same but for all plugins on a site-by-site basis

Do they bundle flash with firefox now?

Joe User said,

Do they bundle flash with firefox now?

Nope, it treats flash like any other plugin and also instantly disables it when a known, severe vulnerability is found.

So, if I use Firefox which doesn't come with Flash, I can install Flash then I can disable Flash in Firefox?

What point were you trying to make? That I don't have to use a third party app to disable a third party app in a third party app?

stevan said,
Can't remember last time I went to a site that needed flash. I also can't remember last time I used IE.

Good to know I guess...

But whatever browser you use, it likely uses flash as well. Chrome has it for example. IE having flash as well isnt news worthy. What makes this interesting is that they count IE as part of Windows because it comes preinstalled. A bit strange since modern apps actually make it easier to uninstall applications.

stevan said,
Can't remember last time I went to a site that needed flash. I also can't remember last time I used IE.

that's because you use an iPad and you are forced to install dedicated apps each time you want to see a content that would otherwise require Flash Player.

but hey, apparently you ignore that a lot of iOS apps are built using Adobe AIR, which is just a fancy name for Flash Player content packaged as an app.

so, without knowing it, you actually use the Flash bits.

link8506 said,

that's because you use an iPad and you are forced to install dedicated apps each time you want to see a content that would otherwise require Flash Player.

but hey, apparently you ignore that a lot of iOS apps are built using Adobe AIR, which is just a fancy name for Flash Player content packaged as an app.

so, without knowing it, you actually use the Flash bits.

Please read the entire quote next time.

...went to a site that used flash...

stevan said,

Please read the entire quote next time.

you're visiting sites that practice user agent sniffing to display banners telling you to download an iOS to view this content.

so obviously, they are not asking you to install Flash. They are asking you to install their native application, which may just be a repackaged flash app for iOS.

and websites that don't have ios app may display static images instead of dynamic content (videos, 360deg views, ...) when they detect a browser without Flash.

but visit these sites with a browser supporting Flash, and you'll be surprised by the number of services and web sites you use which actually still use flash.

is that so hard to understand?

Lord Method Man said,

xhamster, pornhub, cliphunter, youjizz.....

not a very smart reply.

just went on my non flash supporting device. none of them need flash. it's not about porn. oh yeah, you were just joking.

Edited by tomasarson, Feb 28 2014, 6:36am :

link8506 said,

that's because you use an iPad and you are forced to install dedicated apps each time you want to see a content that would otherwise require Flash Player.

but hey, apparently you ignore that a lot of iOS apps are built using Adobe AIR, which is just a fancy name for Flash Player content packaged as an app.

so, without knowing it, you actually use the Flash bits.

while i'm not down for abandoning flash i think most sites have moved on if they're smart. this isn't java, hopefully.

*non apple device user.

stevan said,
Can't remember last time I went to a site that needed flash. I also can't remember last time I used IE.

Neowin.

Urrm... do we have any facts to substantiate this "News" or is this merely opinion. Specifically:

Flash has long had a history of being vulnerable and generally an insecure piece of software

And...

we suspect that many of the additional areas of weakness are related to the Adobe software.

Someone have a personal vendetta against Adobe and Flash specifically ? I don't dispute the opinion but for this to be "News" it should at least have some facts behind it.

I am agreeing with you. Flash is inside the Modern version of IE, so that means it's in a sandboxed metro app. Meaning, alot of the vulnerabilities aren't tied in to the regular Win32 version.

Also, seeing as how Windows 8 is the same code-base as Windows 7, but builds on top-of it, how is it less secure (apart from this supposed Flash issue). Again, want more facts about this.

jamieakers said,
Urrm... do we have any facts to substantiate this "News" or is this merely opinion. Specifically:

Flash has long had a history of being vulnerable and generally an insecure piece of software

And...

we suspect that many of the additional areas of weakness are related to the Adobe software.

Someone have a personal vendetta against Adobe and Flash specifically ? I don't dispute the opinion but for this to be "News" it should at least have some facts behind it.

They're a security research firm. The generally report on finding made by them or other companies in the field. They deal most in facts and not opinions.

I also agree. Too few "facts" here to back up the claims. I completely believe that Flash is a piece of insecure garbage. We have known this for years. However it shouldn't be too much of an issue that it is baked into IE as the modern version of IE is sandboxed, just as all other modern apps are. It shouldn't be able to do much damage at all.

It's not facts. False statistics and misinterpreted data.

Secuna just added vulnerabilities with no statistics to back it up. So a vulnerability is discovered in a sandbox for IE as an example. Secuna counts it. XP/IE 6 doesn't even have a sandbox. Therefore IE 6 is most secure browser!

That is false. It is false as a step was added to prevent exploits in a modern version makes it more secure even if someone finds a way to override it. But since an older version lacks it then it applies it has one less vulnerability.

Time to discredit

sinetheo said,
That is false. It is false as a step was added to prevent exploits in a modern version makes it more secure even if someone finds a way to override it. But since an older version lacks it then it applies it has one less vulnerability.

Yes. Read the actual PDF. It should explain more.

The fact is steadfast. Flash in fully ingegrated into Windows, part of Windows specifically like any other system32 s@it.

I'm getting normally Flash updates ( via Windows Update ) almost as often as Windows Defender's definitions.

Just deal with it. 8 is vista fiasco in other ways.

greensabath said,
I am agreeing with you. Flash is inside the Modern version of IE, so that means it's in a sandboxed metro app. Meaning, alot of the vulnerabilities aren't tied in to the regular Win32 version.


I don't think this is entirely true.

I've read that IE on Windows 8/RT is a kind of hybrid application, and that the rendering engine for both modern and desktop IE uses the traditional Windows APIs (not the WinRT API). This is the whole reason a developer can't write an alternative modern ui browser for Windows RT as third party win32 and .net applications aren't allowed to run.

Also, and while I can't personally speak for Windows 8, on Windows RT flash is built into both versions of IE, and I see in other comments people saying the same thing about Windows 8.

Seems there is a lot of mis-information on this topic.

Raylan Givens said,
The fact is steadfast. Flash in fully ingegrated into Windows, part of Windows specifically like any other system32 s@it.

I'm getting normally Flash updates ( via Windows Update ) almost as often as Windows Defender's definitions.

Just deal with it. 8 is vista fiasco in other ways.

wow I'm shocked by so much stupidity.

95% of computer users (windows, Linux, osx) use flash player.

Microsoft decided to bundle it in Windows so that it receives security updates directly from Windows Update, which is more reliable than a background service that can be disabled by the user.


how the hell do you reach the conclusion that this is less secure than win7/osx/whatever and that "windows 8 is a fiasco"?

what the hell are you smoking?

link8506 said,

wow I'm shocked by so much stupidity.

95% of computer users (windows, Linux, osx) use flash player.

Microsoft decided to bundle it in Windows so that it receives security updates directly from Windows Update, which is more reliable than a background service that can be disabled by the user.


how the hell do you reach the conclusion that this is less secure than win7/osx/whatever and that "windows 8 is a fiasco"?

what the hell are you smoking?

You're confusing "use" with "have". The overall number of websites using flash has been on a steady decline for about 3 years now...

stevan said,

You're confusing "use" with "have". The overall number of websites using flash has been on a steady decline for about 3 years now...

sites using Flash to display their user interface (a thing that HTML4/CSS2 is sufficient for) are on decline, yes.

but every media site providing premium content is still using Flash player or silverlight.

nothing has changed, and nothing will change in the near future because DRM in HTML5 is a mess, as chrome and IE's implementations are not compatible (and Firefox refuses to support DRMs).

even sites which have claimed to have gone HTML5 are still using Flash for streaming their content because they are not allowed by content owners to stream without DRM.
They have just replaced their menus, playlists, buttons with standard HTML. But for DRM support, they still rely on Flash.
or on native mobile apps when flash is not available.

Firefox is on the forefront of Adobe Flash support so it makes sense that it refuses to support HTML5 DRM. If you don't believe me, visit YouTube - Firefox still uses Adobe Flash.

Flash is _not_ fully integrated into Windows 8. It is a built-in plugin in Internet Explorer. That's not the same thing. Google also bundles Flash into Chrome. It's a built-in plugin. Both Internet Explorer and Chrome treat Flash as a plugin and sandbox it off. In fact, Internet Explorer sandboxes _all_ of its plugins in Windows 8. And, in Enhanced Protected Mode, it completely sandboxes itself. Just because Windows Update now updates Flash does not mean it is "fully integrated" into Windows.

Raylan Givens said,
The fact is steadfast. Flash in fully ingegrated into Windows, part of Windows specifically like any other system32 s@it.

I'm getting normally Flash updates ( via Windows Update ) almost as often as Windows Defender's definitions.

Just deal with it. 8 is vista fiasco in other ways.

I'll agree with that last line, some what, although it's not entirely as bad as Vista.

The stupidity that went into releasing Windows 8 as it was just shows how bad it is though.

Why in the heck would MS even think about integrating that crap flash player into it's own product is way beyond me, especially since they're NOT the one coding it!

I sure have no plans on upgrading to that fine POS!