In an update released on 19 September 2014, Microsoft is addressing a security issue with Adobe Flash Player for Internet Explorer 10 and 11 on Windows 8/8.1.
According to Microsoft his vulnerability could allow an attacker to gain control over a computer running IE Flash Player.
In a web-based attack scenario where the user is using Internet Explorer for the desktop, an attacker could host a specially crafted website that is designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit any of these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email. In a web-based attack scenario where the user is using Internet Explorer in the Windows 8-style UI, an attacker would first need to compromise a website already listed in the Compatibility View (CV) list. An attacker could then host a website that contains specially crafted Flash content designed to exploit any of these vulnerabilities through Internet Explorer and then convince a user to view the website. An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by clicking a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email.
The updates for Windows 8 RT and Windows 8.1 RT must be downloaded from Windows Update on those devices.
The updates for x86/x64 versions of Windows 8/8.1 and Windows Server 2012/Windows Server 2012 R2 can be downloaded through the Microsoft Download Center as linked below:
- Update for Internet Explorer Flash Player for Windows 8 (KB2999249)
- Update for Internet Explorer Flash Player for Windows 8.1 (KB2999249)
- Update for Internet Explorer Flash Player for Windows 8 x64 (KB2999249)
- Update for Internet Explorer Flash Player for Windows 8.1 for x64-based Systems (KB2999249)
- Update for Internet Explorer Flash Player for Windows Server 2012 (KB2999249)
- Update for Internet Explorer Flash Player for Windows Server 2012 R2 (KB2999249)