Microsoft has finally released an update for the Flash Player plugin that ships with Internet Explorer 10, patching vulnerabilities that Adobe has long since addressed for anyone using the standalone version of Flash.
Internet Explorer 10 bundles the Flash plugin directly into the browser, which means Adobe’s auto-update tools don’t work, nor can users manually download and install Flash updates. Any security patches and updates for Flash in IE 10 must come from Microsoft, through Windows Update.
However, Microsoft has, thus far, been quite a bit behind Adobe in updating Flash. The update now available for Flash in IE 10 addresses the problems, but comes a month after the vulnerabilities were made public. A Microsoft spokesperson previously told Webmonkey that the timing of Flash updates in IE 10 will be worked out before Windows 8 actually ships later this year.
This round of Microsoft security updates also brings a new version of IE 9, which patches a number of security holes, including a zero-day exploit which allows a malicious website to install the “Poison Ivy” malware, a backdoor trojan that can take over your PC and steal your data.
The Poison Ivy vulnerability was serious enough that Microsoft broke its traditional monthly security update cycle to release an emergency fix for IE earlier this month. If you happened to have missed the out-of-cycle update, be sure you apply this latest round of fixes in Windows Update.
It’s also worth noting that the Poison Ivy malware exploit works on IE 6, 7 and 8 as well as 9. If you’re on Windows XP, or are just stuck using an older version of IE, patches are also available. You can find the full details and a list of all affected platforms in Microsoft’s Security Bulletin.
If you’ve already upgraded to the Internet Explorer 10 preview you don’t need to worry about the Poison Ivy exploit since it doesn’t work in IE 10.