Microsoft issues critical Flash security update

Microsoft, despite deciding not to release any patches in February, has pushed out a critical security update containing patches developed by Adobe for the Adobe Flash Player.

The patch, MS17-005, updates Flash libraries contained within Internet Explorer 10 and 11 as well as Microsoft Edge to address exploits that could be used to trigger remote code execution.

According to Microsoft, an attacker could potentially exploit the vulnerabilities in unpatched versions of the browsers by hosting a specially crafter website designed to exploit them and convincing a victim to visit or by embedding an ActiveX control in an Office document hosting the IE rendering engine.

Affected software includes Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2016 and Windows Server 2012, although the impact is only listed as moderate and not critical for the latter OS.

The update also lists a series of potential workarounds to limit exposure to the vulnerability for unpatched systems, including disabling Flash, preventing it from running within Office 2010 and disabling ActiveX controls in Office 2010 or 2007.

Adobe released this month's Flash patches on the 14th of February, the same day Microsoft would traditionally have issued its Patch Tuesday Windows updates.

But Microsoft, after transitioning to a new model that removes the fixed schedule for issuing patches, this month revealed it will push back the release of the planned February updates until March.

Image courtesy of Mike Mozart under CC

Follow us on Twitter and Facebook