Microsoft backpedals, promises to patch Windows 8's Flash 'shortly'
Security expert wonders why Microsoft dropped the ball
Computerworld - Microsoft today said it would update Flash on Windows 8 "shortly," although it declined to set a timetable.
"In light of Adobe's recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers," Yunsun Wee, director of the company's Trustworthy Computing Group, said in a Tuesday statement. "This update will be available shortly."
Microsoft's promise to quickly deliver a Flash security update for Windows 8's version of Internet Explorer 10 (IE10) was a turn-about from its stance last week, when the firm said it didn't plan on patching Flash Player until late October.
Long-time Windows blogger Ed Bott first reported Microsoft's change of heart.
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Convenient, perhaps. But even before the official launch of Windows 8, Microsoft fell behind Adobe in its Flash patching.
Windows 8 RTM, the Aug. 1 milestone designating finished code, did not include two Flash Player updates that Adobe shipped last month. Those updates patched eight vulnerabilities, one of which -- tagged as CVE-2012-1535 -- was already being exploited by hackers. An elite hacker gang uncovered by Symantec last week had been among those compromising Windows PCs using the Flash bug.
On Tuesday, Windows 8 RTM's IE10 continued to identify the integrated Flash Player as version 11.3.372.94, which lacks the Adobe fixes of last month, showing that Microsoft has not silently patched the problem.
One security professional took Microsoft to task for poor patch management.
"You would have thought that Microsoft would have had this all planned out previously," said Andrew Storms, director of security operations, in an interview over instant messaging today. "Now, it's like an afterthought."
Saying that the snafu over Flash was "very unlike them," meaning Microsoft's security team, Storms was puzzled at the dropped ball. "It's almost as if it was an entirely different team from the security group that made this -- or forgot -- this arrangement," he said.
Microsoft's Wee did say that the company hoped to do better in the future. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible," she said.
That may be difficult. While Microsoft has a monthly patching schedule -- today, in fact, is September's Patch Tuesday -- Adobe does not adhere to any set patching schedule for Flash Player.
Google, which has provided Flash Player with its Chrome browser for more than two years, has never had a problem keeping up with Adobe's here-and-there patching. In some instances, Google has actually beaten Adobe to the patch punch by shipping a Chrome update hours or even days, before Adobe releases fixed plug-ins for other browsers.
Microsoft will deliver the Flash Player update for IE10 on Windows 8 via Windows Update, as well as through Windows Server Update Services (WSUS).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Perspective: Microsoft risks security reputation ruin by retiring XP
- Microsoft plans to patch critical under-attack IE bug next week
- Microsoft reaches RTM milestone for Windows 8.1 update
- OS upgrades: Cheap is better than pricey, free is better than cheap
- No special treatment for China on XP, patches end April 8 in the PRC, too
- Microsoft ships Office 2013 SP1 the old-fashioned way
- Microsoft's 'go-low' play puts Windows revenue on the line
- Steven J. Vaughan-Nichols: Windows 7 lives!
- Users mock Microsoft for asking their help on XP-to-Windows 8.1 upgrades
- Microsoft concedes Windows 8.1 needs more for mouse, keyboard customers
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts