Skip the navigation

Adobe, now 'married' to Microsoft, moves Flash updates to Patch Tuesday

November 7, 2012 07:02 AM ET

"The new Adobe timing is to accommodate the typical Patch Tuesday release schedule for Windows, which enterprise customers depend upon," Kandek said.

What was a surprise, Storms said, was that it took this long for Microsoft and Adobe to sync security releases, particularly after the backpedaling by Microsoft in September. "That was a clear sign that despite the executive decision to put Flash in IE10, nobody considered the ramifications," Storms said. "Sadly, the people left holding the bag were Microsoft users on their brand new Windows 8 platform."

In hindsight, Storms was right: If there was one company destined to ride Patch Tuesday's coattails, it was Adobe, which has adopted Microsoft's security coding practices and used some of its anti-exploit "sandboxing" technologies in its Reader and Flash.

Microsoft declined to answer questions about Adobe's decision, including whether Microsoft had pressed its partner to make the call. Instead, the company issued a statement attributed to Dave Forstrom, a director in the firm's Trustworthy Computing group, that said, "Our customers tell us that they strongly prefer a predictable cadence of security-update releases, and we aim to honor that preference."

While Adobe characterized the decision as one of convenience and predictability for users rather than a security improvement, Kandek saw it slightly different.

"Releasing scheduled Adobe Flash updates any other time would force Microsoft to make their IE10 updates out-of-band, as they would want to maintain a close interval between Flash release and IE10 release," Kandek said.

If Microsoft was unwilling or unable to ship emergency updates for IE10, Windows 8 and Windows RT users would be vulnerable to quick-strike Flash exploits, potentially for weeks.

Adobe's Tuesday update patched seven vulnerabilities, all which could be used by hackers to hijack Windows PCs, Macs and machines running Linux. Engineers in Google's security team, as they often do, reported the seven to Adobe.

Microsoft updated IE10 on Windows 8 and Windows RT on Tuesday, making it the second time in a row that the company shipped patches the same day Adobe refreshed Flash.

Google, which has been bundling Flash with its Chrome browser for over two years, also updated its browser to include the patched version of the media player.

IE10 on Windows 7, which Microsoft has pledged to release as a preview by mid-November, will not include an integrated version of Flash, but will rely on the traditional plug-in. Still, it will, like other browsers, receive future updates on Patch Tuesday.

Adobe also said that it would, if necessary, issue emergency updates outside Microsoft's schedule to quash "zero-day" bugs.

Windows 8 and Windows RT users can obtain today's Flash update for IE10 via the Windows Update service, while others can either download the revised plug-in from Adobe's website or use the Flash updating tool.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at Twitter@gkeizer, or subscribe to Gregg's RSS feed Keizer RSS. His e-mail address is gkeizer@ix.netcom.com.

Read more about Security in Computerworld's Security Topic Center.



Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!