Microsoft backpedals, promises to patch Windows 8's Flash 'shortly'
Security expert wonders why Microsoft dropped the ball
Computerworld - Microsoft today said it would update Flash on Windows 8 "shortly," although it declined to set a timetable.
"In light of Adobe's recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers," Yunsun Wee, director of the company's Trustworthy Computing Group, said in a Tuesday statement. "This update will be available shortly."
Microsoft's promise to quickly deliver a Flash security update for Windows 8's version of Internet Explorer 10 (IE10) was a turn-about from its stance last week, when the firm said it didn't plan on patching Flash Player until late October.
Long-time Windows blogger Ed Bott first reported Microsoft's change of heart.
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Convenient, perhaps. But even before the official launch of Windows 8, Microsoft fell behind Adobe in its Flash patching.
Windows 8 RTM, the Aug. 1 milestone designating finished code, did not include two Flash Player updates that Adobe shipped last month. Those updates patched eight vulnerabilities, one of which -- tagged as CVE-2012-1535 -- was already being exploited by hackers. An elite hacker gang uncovered by Symantec last week had been among those compromising Windows PCs using the Flash bug.
On Tuesday, Windows 8 RTM's IE10 continued to identify the integrated Flash Player as version 11.3.372.94, which lacks the Adobe fixes of last month, showing that Microsoft has not silently patched the problem.
One security professional took Microsoft to task for poor patch management.
"You would have thought that Microsoft would have had this all planned out previously," said Andrew Storms, director of security operations, in an interview over instant messaging today. "Now, it's like an afterthought."
Saying that the snafu over Flash was "very unlike them," meaning Microsoft's security team, Storms was puzzled at the dropped ball. "It's almost as if it was an entirely different team from the security group that made this -- or forgot -- this arrangement," he said.
Microsoft's Wee did say that the company hoped to do better in the future. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible," she said.
That may be difficult. While Microsoft has a monthly patching schedule -- today, in fact, is September's Patch Tuesday -- Adobe does not adhere to any set patching schedule for Flash Player.
Google, which has provided Flash Player with its Chrome browser for more than two years, has never had a problem keeping up with Adobe's here-and-there patching. In some instances, Google has actually beaten Adobe to the patch punch by shipping a Chrome update hours or even days, before Adobe releases fixed plug-ins for other browsers.
Microsoft will deliver the Flash Player update for IE10 on Windows 8 via Windows Update, as well as through Windows Server Update Services (WSUS).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Microsoft's new lower-priced Office 365 is 'obvious preface' for iPad suite
- Researchers pocket record $400K at Pwn2Own hacking contest's first day
- Perspective: Microsoft risks security reputation ruin by retiring XP
- Microsoft plans to patch critical under-attack IE bug next week
- Microsoft reaches RTM milestone for Windows 8.1 update
- OS upgrades: Cheap is better than pricey, free is better than cheap
- No special treatment for China on XP, patches end April 8 in the PRC, too
- Microsoft ships Office 2013 SP1 the old-fashioned way
- Microsoft's 'go-low' play puts Windows revenue on the line
- Steven J. Vaughan-Nichols: Windows 7 lives!
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Gartner 2013 Magic Quadrant for Enterprise Backup/Recovery Software See why CommVault was positioned as the #1 leader in Gartner's 2013 Magic Quadrant for Enterprise Backup/Recovery software for the 3rd year in...
- Forrester Report: CommVault is a Leader in Enterprise Backup and Recovery In this report, Forrester takes a deep dive into the evaluation criteria, how CommVault is positioned and the features and functionality that make...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Malware and Vulnerabilities White Papers |