Microsoft patches critical Flash bugs in Windows 8
Updates IE10's integrated Flash Player with fixes to block ongoing hacker attacks
Computerworld - Microsoft on Friday updated Flash on Windows 8 to protect IE10 users from attacks that may have started months ago.
More than a week before, Microsoft had backed away from an earlier position that held it would not patch Flash until late October. Instead, the company promised to update the media player "shortly."
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company mimicked Google's Chrome by building the software into IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
But the Redmond, Wash. developer ran into trouble from the get-go. Although Adobe shipped a pair of security updates in August that patched eight vulnerabilities, Windows 8 RTM, the finished code that began reaching users that same month, lacked those fixes.
One of the eight Flash bugs has been exploited by hackers, perhaps for months. An elite hacker gang known for finding and leveraging unpatched vulnerabilities has been among those hijacking Windows PCs with the flaw.
Friday's Flash update will be offered to Windows 8 RTM, and to the final public beta, Windows 8 Release Preview. That sneak peak, which users downloaded free of charge, does not expire until Jan. 31, 2013.
Computerworld confirmed that the update boosted IE10's Flash Player to version 11.3.374.7 on Windows 8 RTM. On Friday, Adobe confirmed that that edition contained the patches for the eight vulnerabilities it patched Aug. 14 and Aug. 21.
Yunsun Wee, director of Microsoft's Trustworthy Computing team, also clarified how the company will treat future Flash updates for IE10 in Windows 8.
"On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing," pledged Wee.
Her reference to an Adobe quarterly Flash schedule was odd; although Adobe tries to adhere to an regular cadence for Adobe Reader -- not always successfully -- it has never set something similar for Flash Player.
Thus far during 2012, in fact, Adobe has issued seven Flash updates: One in February; two in March; one each in May and June; and two in August. If Adobe is adopting a quarterly patch process for Flash Player, it has kept that under wraps.
Wee also admitted that Microsoft will need to deliver "out-of-band" updates -- those outside its usual monthly Patch Tuesday -- to keep IE10's and Windows 8's Flash in sync with the Flash plug-ins Adobe maintains for other browsers.
"When the threat landscape requires action outside of Adobe's normal update cadence, ...we will issue updates outside of our regular monthly security bulletin release," Wee said in a Friday post to the Microsoft Security Response Center's blog.
Those out-of-band Flash updates could quickly pile up. If Windows 8 had been available from the start of 2012, in the best circumstances Microsoft would still have had to deliver emergency Flash updates in February, March and August.
Even then, Microsoft would have had to hustle to work the other four Flash updates into its next Patch Tuesday: In one instance, Flash was updated on Patch Tuesday, while in two others, Microsoft would have had just four days to prepare. The fourth Flash update was released eight days before the next Patch Tuesday.
More information on the Flash Update to IE10 and Windows 8 can be found in Microsoft's security advisory.
Windows 8 users can obtain the Flash update via the Windows Update service, as well as through the enterprise-grade WSUS (Windows Server Update Services).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Russian credential theft shows why the password is dead
- Cybersecurity should be professionalized
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Deep Security +VMware vSphere with Operations Management Most midsize organizations are highly virtualized on VMware, and while this has produced significant savings, it also has created new challenges when it...
- 3 Questions to Ask Your DNS Host about Lowering DDoS Risks Neustar has had wide-ranging conversations with clients wanting to know how they can optimize protection as DDoS attacks increase in frequency and size.
- The Danger Deepens: 2014 Neustar Annual DDoS Attacks and Impact Report This report compares DDoS findings from 2013 to 2012, based on a survey of 440 North American companies, including 139 businesses delivering technology...
- DDoS Infographic: How Are Attacks Evolving? For the third consecutive year, Neustar surveyed businesses across major industries to track the evolution of DDoS attacks. Are they more frequent? Larger?...
- How to Use Crowd-Sourced Threat Intelligence to Stop Malware in its Tracks Threat sharing networks have been around for a long time, however they have typically been "invitation-only", available to only large companies, or those...
- An Incident Response Playbook: From Monitoring to Operations As cyber-attacks grow more sophisticated, many organizations are investing more into incident detection and response capabilities. In this webcast, learn how to develop... All Malware and Vulnerabilities White Papers | Webcasts