About Flash & Security
Regarding Adobe Flash
In September 2011, Microsoft went on the record to say that the Modern-style (then still called Metro-style) version of IE10 is going to be 'plug-in free'. The decision came after the company examined 97,000 web sites, and discovered that while 62% of them use Flash, many of those use it just so they can display advertisements, and the majority of them fall back to HTML5 if Flash isn't supported. In a nutshell, in order to view Flash and other plug-in content in Windows 8, the user has to switch to the desktop application of IE10.
Now, before you go pulling your hair out and lament that you can't play your Flash 10 videos and games in IE10, let us tell you that the situation has somewhat changed since the "no plug-in" comment. The final decision is that IE10 in Windows 8 will come with Flash. However, it's not in the form of a plug-in. What Microsoft has done is to work with Adobe to integrate Flash 11.3 right into both the Modern-style and desktop versions of IE10. (The latter will, as per usual, support other third-party plug-ins.) That being said, there are some differences between the two. For one, the Modern-style version of IE10 isn't getting the full version of Flash, so some Flash-based sites may still not work (especially those who don't work well with touch, like a reliance on double-click or rollover and rollout events) and you will need to turn to the desktop version which has the full version of Flash. More importantly, a website must be in the IE Compatibility View (CV) list before Modern IE can play its Flash content. For web developers, check out this documentation that details the compatibility guidelines for Flash content in IE10, and how to submit your sites for consideration for the CV list.
Of course, the concern with Flash integrated into IE's code is one of security. This means that any security update has to come from Microsoft, via the Windows Update mechanism; users can't just download and run security patches from Adobe. We can only hope that the super-close collaboration between the two companies will also translate to faster and more timely security updates.
Update (Mar 12, 2013): Microsoft has announced that it'll be updating IE10 in Windows 8 and Windows RT to run Flash content by default. This means that instead of using the CV list as a whitelist, it'll now be used as a blacklist. You can read more about this change here.
Other than what we've mentioned above, security has also gotten a boost in IE10. For example, SmartScreen Filter (first seen in IE8) detects for phishing websites, and protects you from downloading and installing malicious software. Basically, it’ll check the reputation of webpages you’re surfing on, and screen files that you download from the Web, and let you know if something is amiss. Naturally, this has raised some privacy concerns, but Microsoft has responded by saying that they aren't building a historical database of program and user IP data, and all IP addresses in their logs are deleted periodically. If you're still feeling uncomfortable about SmartScreen, you can turn it off. Just search for 'action' in the Start screen, select 'Settings' from the results, followed by 'Action Center'. In Action Center, you'll see an option on the left that says 'Change Windows SmartScreen settings'.
Also new in IE10 is an 'Enhanced Protected Mode' (technical details here), which aims to protect your data even if a hacker has found a flaw in IE10. EPM is enabled by default on Modern IE10, but not on the desktop version. Why? Because EPM requires all processes to run in 64-bit. However, to ensure compatibility with plug-ins, the desktop version of IE10 has its tab or content processes run in 32-bit by default. In other words, when you enable EPM in the desktop version of IE10, it will switch to 64-bit tabs by default. This may 'break' certain plug-ins, but the good news is that you'll be given an option to load a 32-bit tab if the browser encounters a non-EPM-compatible plug-in.
To enable EPM in the desktop version of IE, go to Tools > Internet options > Advanced, and check 'Enable Enhanced Protected Mode'.
All in all, after using Modern IE10 for several months now, we can say for certain that it's a move in the right direction, at least from the user experience point of view. And it's a more than capable browser for Windows RT devices, which can only run Modern-style apps. It is however less efficient if you don't have a touch-enabled device though. In that case, the desktop version of IE10 is a better choice.