Even though users noticed last month that IE10's Flash had fallen behind Adobe's version, it wasn't until this week that first reported that Windows 8 users were vulnerable to attack.

Some of the people commenting on Adobe's and Microsoft's support forums, as well as on Bott's blog, argued that Microsoft should be excused for not patching Flash because Windows 8 has not widely shipped. Others disagreed, pointing out that Windows 8 RTM has been available to enterprises with volume licensing agreements for several weeks, and so it has moved beyond the evaluation phase.

Complicating matters, Microsoft has also offered a since Aug. 15 to anyone willing to download the large file.

Microsoft's situation is reminiscent of Apple's before it decided to dump Flash Player and Java from OS X. When Apple maintained those programs -- at the time both were bundled with all Macs -- it often lagged months behind Adobe and Sun Microsystems, then the owner of Java, in its patching.

"Anytime a company bundles a third-party application, they take on some unsaid but expected responsibility to help their users ensure that even the third-party applications get timely updates," said Andrew Storms, director of security operations at nCircle Security, in an email Friday. "Apple has been the worst [at this] and has clearly shown what not to do."