Adobe, now 'married' to Microsoft, moves Flash updates to Patch Tuesday
"The new Adobe timing is to accommodate the typical Patch Tuesday release schedule for Windows, which enterprise customers depend upon," Kandek said.
What was a surprise, Storms said, was that it took this long for Microsoft and Adobe to sync security releases, particularly after the backpedaling by Microsoft in September. "That was a clear sign that despite the executive decision to put Flash in IE10, nobody considered the ramifications," Storms said. "Sadly, the people left holding the bag were Microsoft users on their brand new Windows 8 platform."
In hindsight, Storms was right: If there was one company destined to ride Patch Tuesday's coattails, it was Adobe, which has adopted Microsoft's security coding practices and used some of its anti-exploit "sandboxing" technologies in its Reader and Flash.
Microsoft declined to answer questions about Adobe's decision, including whether Microsoft had pressed its partner to make the call. Instead, the company issued a statement attributed to Dave Forstrom, a director in the firm's Trustworthy Computing group, that said, "Our customers tell us that they strongly prefer a predictable cadence of security-update releases, and we aim to honor that preference."
While Adobe characterized the decision as one of convenience and predictability for users rather than a security improvement, Kandek saw it slightly different.
"Releasing scheduled Adobe Flash updates any other time would force Microsoft to make their IE10 updates out-of-band, as they would want to maintain a close interval between Flash release and IE10 release," Kandek said.
If Microsoft was unwilling or unable to ship emergency updates for IE10, Windows 8 and Windows RT users would be vulnerable to quick-strike Flash exploits, potentially for weeks.
Adobe's Tuesday update patched seven vulnerabilities, all which could be used by hackers to hijack Windows PCs, Macs and machines running Linux. Engineers in Google's security team, as they often do, reported the seven to Adobe.
Microsoft updated IE10 on Windows 8 and Windows RT on Tuesday, making it the second time in a row that the company shipped patches the same day Adobe refreshed Flash.
Google, which has been bundling Flash with its Chrome browser for over two years, also updated its browser to include the patched version of the media player.
IE10 on Windows 7, which Microsoft has pledged to release as a preview by mid-November, will not include an integrated version of Flash, but will rely on the traditional plug-in. Still, it will, like other browsers, receive future updates on Patch Tuesday.
Adobe also said that it would, if necessary, issue emergency updates outside Microsoft's schedule to quash "zero-day" bugs.
Windows 8 and Windows RT users can obtain today's Flash update for IE10 via the Windows Update service, while others can either download the revised plug-in from Adobe's website or use the Flash updating tool.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!