Microsoft backpedals, promises to patch Windows 8's Flash 'shortly'
Security expert wonders why Microsoft dropped the ball
Computerworld - Microsoft today said it would update Flash on Windows 8 "shortly," although it declined to set a timetable.
"In light of Adobe's recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers," Yunsun Wee, director of the company's Trustworthy Computing Group, said in a Tuesday statement. "This update will be available shortly."
Microsoft's promise to quickly deliver a Flash security update for Windows 8's version of Internet Explorer 10 (IE10) was a turn-about from its stance last week, when the firm said it didn't plan on patching Flash Player until late October.
Long-time Windows blogger Ed Bott first reported Microsoft's change of heart.
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Convenient, perhaps. But even before the official launch of Windows 8, Microsoft fell behind Adobe in its Flash patching.
Windows 8 RTM, the Aug. 1 milestone designating finished code, did not include two Flash Player updates that Adobe shipped last month. Those updates patched eight vulnerabilities, one of which -- tagged as CVE-2012-1535 -- was already being exploited by hackers. An elite hacker gang uncovered by Symantec last week had been among those compromising Windows PCs using the Flash bug.
On Tuesday, Windows 8 RTM's IE10 continued to identify the integrated Flash Player as version 11.3.372.94, which lacks the Adobe fixes of last month, showing that Microsoft has not silently patched the problem.
One security professional took Microsoft to task for poor patch management.
"You would have thought that Microsoft would have had this all planned out previously," said Andrew Storms, director of security operations, in an interview over instant messaging today. "Now, it's like an afterthought."
Saying that the snafu over Flash was "very unlike them," meaning Microsoft's security team, Storms was puzzled at the dropped ball. "It's almost as if it was an entirely different team from the security group that made this -- or forgot -- this arrangement," he said.
Microsoft's Wee did say that the company hoped to do better in the future. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible," she said.
That may be difficult. While Microsoft has a monthly patching schedule -- today, in fact, is September's Patch Tuesday -- Adobe does not adhere to any set patching schedule for Flash Player.
Google, which has provided Flash Player with its Chrome browser for more than two years, has never had a problem keeping up with Adobe's here-and-there patching. In some instances, Google has actually beaten Adobe to the patch punch by shipping a Chrome update hours or even days, before Adobe releases fixed plug-ins for other browsers.
Microsoft will deliver the Flash Player update for IE10 on Windows 8 via Windows Update, as well as through Windows Server Update Services (WSUS).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Windows' new normal shows software-as-a-service ambitions
- Microsoft extends Windows 8.1 Update migration deadline for business
- Microsoft puts the squeeze on Windows to shoehorn it into 16GB devices
- Google quashes 31 vulnerabilities, restores Metro mode 'steppers' with Chrome 34
- Microsoft drags customers 'kicking and screaming' into its world of faster updates
- Windows 8.1 Update deep-dive review: An OS that makes more sense
- Microsoft suspends Windows 8.1 Update release to businesses
- Windows 8.1 Update arrives today
- Microsoft requires migration to Windows 8.1 Update within 5 weeks
- FAQ: Good-bye old pal, old paint, Windows XP
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts