Surprise! Microsoft issues Flash patches for Internet Explorer, Edge

After announcing last week that February's patches would be delayed until March, Microsoft alerts large customers that security patches are due today—but details remain sketchy

Surprise! Microsoft issues Flash patches for Internet Explorer, Edge
Thinkstock

Microsoft sent an email to its largest customers on Monday, alerting them that Adobe Flash Player patches for Internet Explorer and Edge will be coming today. Apparently Microsoft’s announcement last week that it would delay February patches until March 14 didn’t tell the whole story.

Yesterday’s email says in part:

Microsoft is planning to release security updates for Adobe Flash Player. These updates will be offered to the following operating systems: Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016 ...

No other security updates are scheduled for release until the next scheduled monthly update release on March 14, 2017. 

These Flash patches are important for those who still use Flash with IE or Edge. There must be three of you, somewhere. For those who don’t use Flash—or who only use Flash from inside Chrome or Firefox or a different browser—the fixes aren’t important.

This is a particularly odd situation. The bundled Windows 7 and 8.1 “patchocalypse” patching method has been amended, with Microsoft declaring last month that starting in February, IE patches won’t be included with the monthly Win7 and 8.1 security-only patch:

Starting with February 2017, the Security Only update will not include updates for Internet Explorer, and the Internet Explorer update will again be available as a separate update for the operating systems listed above.

Of course, we didn’t have a security-only patch in February. In fact, we didn’t have any security patches in February.

With Internet Explorer patches yanked out of the Win7 and 8.1 security-only patches, it’s hard to guess what form these new Win7 and 8.1 patches will take. Adding to the confusion: Microsoft needs to patch Windows Server 2012, which is still stuck on IE10. Perhaps we’ll see a return to the old KB patches for IE10 and 11? Will there be Security Bulletins tying all of this together?

The Windows 10 situation is even more obtuse. We have two dangling Win10 hotfix patches – 14393.726 and 14393.729 – which, much to Microsoft’s credit, were released and fully documented but not rolled out the Win10 Automatic Update chute. Will the IE11 and Edge patches for the various versions of Win10 take the form of a cumulative update? And if so, will that cumulative update be issued as a hotfix or will it be pushed onto all Win10 PCs? Will the fix go to 1507 and 1511 systems, in addition to the latest version, 1607?

Microsoft hasn’t released corresponding hotfixes for Win10 1507 and 1511. If this patch goes out to 1507 and 1511 PCs, will the analogous hotfixes be issued for those versions?

Microsoft has woven a tangled web. Its move to bunch together all patches on all versions of Windows—and its subsequent backtracking to accommodate well-founded complaints—increases the complexity enormously. Bunched patches may be part of a “cloud first” future, but they’re hell to install and manage.

There’s one point that sticks in my craw: All of this was foreseeable. Adobe has always released its patches on Patch Tuesday, and Microsoft always has to roll those patches into IE11 and Edge. Didn’t somebody see this train wreck coming?

Copyright © 2017 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon