Microsoft backpedals, promises to patch Windows 8's Flash 'shortly'
Security expert wonders why Microsoft dropped the ball
Computerworld - Microsoft today said it would update Flash on Windows 8 "shortly," although it declined to set a timetable.
"In light of Adobe's recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers," Yunsun Wee, director of the company's Trustworthy Computing Group, said in a Tuesday statement. "This update will be available shortly."
Microsoft's promise to quickly deliver a Flash security update for Windows 8's version of Internet Explorer 10 (IE10) was a turn-about from its stance last week, when the firm said it didn't plan on patching Flash Player until late October.
Long-time Windows blogger Ed Bott first reported Microsoft's change of heart.
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Convenient, perhaps. But even before the official launch of Windows 8, Microsoft fell behind Adobe in its Flash patching.
Windows 8 RTM, the Aug. 1 milestone designating finished code, did not include two Flash Player updates that Adobe shipped last month. Those updates patched eight vulnerabilities, one of which -- tagged as CVE-2012-1535 -- was already being exploited by hackers. An elite hacker gang uncovered by Symantec last week had been among those compromising Windows PCs using the Flash bug.
On Tuesday, Windows 8 RTM's IE10 continued to identify the integrated Flash Player as version 11.3.372.94, which lacks the Adobe fixes of last month, showing that Microsoft has not silently patched the problem.
One security professional took Microsoft to task for poor patch management.
"You would have thought that Microsoft would have had this all planned out previously," said Andrew Storms, director of security operations, in an interview over instant messaging today. "Now, it's like an afterthought."
Saying that the snafu over Flash was "very unlike them," meaning Microsoft's security team, Storms was puzzled at the dropped ball. "It's almost as if it was an entirely different team from the security group that made this -- or forgot -- this arrangement," he said.
Microsoft's Wee did say that the company hoped to do better in the future. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible," she said.
That may be difficult. While Microsoft has a monthly patching schedule -- today, in fact, is September's Patch Tuesday -- Adobe does not adhere to any set patching schedule for Flash Player.
Google, which has provided Flash Player with its Chrome browser for more than two years, has never had a problem keeping up with Adobe's here-and-there patching. In some instances, Google has actually beaten Adobe to the patch punch by shipping a Chrome update hours or even days, before Adobe releases fixed plug-ins for other browsers.
Microsoft will deliver the Flash Player update for IE10 on Windows 8 via Windows Update, as well as through Windows Server Update Services (WSUS).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Chinese officials seize Microsoft PCs, emails, financial info in antitrust probe
- Yosemite's traffic share triples after public beta debuts
- Consumer Office 365 tops a half-billion dollars in annual revenue run-rate
- Apple hasn't exhausted its supply of Yosemite betas
- Microsoft wants you to forget Windows 8
- Microsoft again writes off Surface inventory, renews profitability doubts
- Lenovo spins 180, says it's still in the 8-in. Windows tablet game
- Google starts work on Chrome bug that slurps Windows laptop juice
- Surface survives Microsoft cuts, but tablet strategy remains muddled
- Why Microsoft isn't spooked by the Apple-IBM alliance
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts