Adobe, now 'married' to Microsoft, moves Flash updates to Patch Tuesday
"The new Adobe timing is to accommodate the typical Patch Tuesday release schedule for Windows, which enterprise customers depend upon," Kandek said.
What was a surprise, Storms said, was that it took this long for Microsoft and Adobe to sync security releases, particularly after the backpedaling by Microsoft in September. "That was a clear sign that despite the executive decision to put Flash in IE10, nobody considered the ramifications," Storms said. "Sadly, the people left holding the bag were Microsoft users on their brand new Windows 8 platform."
In hindsight, Storms was right: If there was one company destined to ride Patch Tuesday's coattails, it was Adobe, which has adopted Microsoft's security coding practices and used some of its anti-exploit "sandboxing" technologies in its Reader and Flash.
Microsoft declined to answer questions about Adobe's decision, including whether Microsoft had pressed its partner to make the call. Instead, the company issued a statement attributed to Dave Forstrom, a director in the firm's Trustworthy Computing group, that said, "Our customers tell us that they strongly prefer a predictable cadence of security-update releases, and we aim to honor that preference."
While Adobe characterized the decision as one of convenience and predictability for users rather than a security improvement, Kandek saw it slightly different.
"Releasing scheduled Adobe Flash updates any other time would force Microsoft to make their IE10 updates out-of-band, as they would want to maintain a close interval between Flash release and IE10 release," Kandek said.
If Microsoft was unwilling or unable to ship emergency updates for IE10, Windows 8 and Windows RT users would be vulnerable to quick-strike Flash exploits, potentially for weeks.
Adobe's Tuesday update patched seven vulnerabilities, all which could be used by hackers to hijack Windows PCs, Macs and machines running Linux. Engineers in Google's security team, as they often do, reported the seven to Adobe.
Microsoft updated IE10 on Windows 8 and Windows RT on Tuesday, making it the second time in a row that the company shipped patches the same day Adobe refreshed Flash.
Google, which has been bundling Flash with its Chrome browser for over two years, also updated its browser to include the patched version of the media player.
IE10 on Windows 7, which Microsoft has pledged to release as a preview by mid-November, will not include an integrated version of Flash, but will rely on the traditional plug-in. Still, it will, like other browsers, receive future updates on Patch Tuesday.
Adobe also said that it would, if necessary, issue emergency updates outside Microsoft's schedule to quash "zero-day" bugs.
Windows 8 and Windows RT users can obtain today's Flash update for IE10 via the Windows Update service, while others can either download the revised plug-in from Adobe's website or use the Flash updating tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts