As outlined by Secunia in a presentation at System Center Universe last week, Windows is the least of IT Pro's worries when it comes to protecting the environment from vulnerabilities. Microsoft actually sees less vulnerabilities associated with the core OS than with the applications that run on it.
And, the leading vulnerability maker for Windows systems? Adobe.
So, it's no surprise to see an out-of-band update released for an Adobe Flash vulnerability. However, the surprise is that the released update is for the server OS. Over the years, many have questioned why software like this runs on a server OS that is supposed to be used to store and protect company data and services. Some have even suggested that an Internet browser should never be installed on a server, or that an on-premise server should never be connected directly to the Internet. Of course, we all realize now that Windows Server 2012 is Microsoft's Cloud OS and eliminating the connection between on-premise and the Cloud is almost futile these days.
With Windows 8.x and Windows Server 2012 Microsoft took an extra step to integrate Flash Player into Internet Explorer. I'm sure part of the thinking behind that had to be for customer convenience, but really, integrating anything from Adobe into an OS is asking for disaster, particularly when stats show that Adobe produces the most unsecure products.
The update (KB2929825) has been made available for download and fixes a vulnerability where an attacker utilizes Flash built into Internet Explorer to gain control over the computer. And, since there are so many different, supported versions of Microsoft's latest OS, you'll need to pick the one that is right for you.