Security Insights

Flash in Windows 8: The Good, the Bad and the Ugly

Flash in Windows 8: The Good, the Bad and the Ugly
Last week I described how Chrome and Firefox are protecting users against vulnerable plugins, Flash and Java amongst them, with Click to Play. Microsoft has a different approach with Windows 8 when it comes to protecting users against attack using the Flash plugin.

Embedded Flash Player

Windows 8 ships with its own version of Flash. Users can no longer install Flash from the Adobe website. On the good side, Flash updates are now part of the overall Windows update process.

This is similar to Apple shipping their own version of Java. While it forces users to update their plugins along with the OS, we've also see the downside. MacOSX was hit by malware that used a vulnerability in the older Java version shipped by Apple that had been patched months prior by Oracle.

Microsoft and Adobe have a much closer relationship than Apple and Oracle, but the Flash version shipped by Windows 8 (11.3.376.12) is already quite far behind the latest version offered by Adobe (11.5.502.110). The same problem that Apple faced with keeping up with security upgrades might already be occurring in Windows 8.
Flash version number in Windows 8 at the top

Internet Explorer Desktop and Internet Explorer Metro

Windows 8 comes with two version of Internet Explorer 10: the Desktop version and the Metro Version.
Internet Explorer 10 Metro

The Desktop version is pretty much the same as Internet Explorer 9 on Windows 7. Besides the embedded Flash version, Flash content is handled the same way as it is in Internet Explorer 9.

The Metro version, besides a very different UI, handles Flash very differently. Microsoft has decided to let the Flash plugin run only on a list of allowed websites. For all other websites, Flash is disabled. This is a more intrusive protection than Click for Play, but it also brings better protection.
Flash disabled on non-allowed website
However, I must say this behavior is quite disconcerting to the user. There is no warning from the browser that Flash has been disabled for a given website, but not for others. Most websites, like the one above, will just say that Flash is not installed, and give a link to the official Adobe website .... which the Windows 8 user cannot use!

The only work around for webmasters to enable Flash on their website is to ask users to switch to the Desktop version of Internet Explorer. Webmaster can add an HTML tag or HTTP header to request the user to switch versions. Internet Explorer Metro shows a popup suggesting a switch to the Desktop version.

No plugin

The other plugins (Java and others) work fine on the Desktop version, but not at all on the Metro version. No warning is shown to the user. Browser extensions (BHO, Browser Helper Object) are also not working with Internet Explorer Metro.

Microsoft is taking a radical approach by forbidding plugins and extensions to run in the Metro version of Internet Explorer. We will see if users switch back to the plugin-enabled Desktop version, or if webmasters will move to HTML5 to replace their Flash and Java content.

Get the latest Zscaler blog updates in your inbox

Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.