Microsoft backpedals, promises to patch Windows 8's Flash 'shortly'
Security expert wonders why Microsoft dropped the ball
Microsoft today said it would update Flash on Windows 8 "shortly," although it declined to set a timetable.
"In light of Adobe's recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers," Yunsun Wee, director of the company's Trustworthy Computing Group, said in a Tuesday statement. "This update will be available shortly."
Microsoft's promise to quickly deliver a Flash security update for Windows 8's version of Internet Explorer 10 (IE10) was a turn-about from its stance last week, when the firm said it didn't plan on patching Flash Player until late October.
Long-time Windows blogger Ed Bott first reported Microsoft's change of heart.
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company took a page from Google's playbook and integrated the popular media software with IE10, the new operating system's browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, "By updating Flash through Windows Update, like IE, we make security more convenient for customers."
Convenient, perhaps. But even before the official launch of Windows 8, Microsoft fell behind Adobe in its Flash patching.
Windows 8 RTM, the Aug. 1 milestone designating finished code, did not include two Flash Player updates that Adobe shipped last month. Those updates patched eight vulnerabilities, one of which -- tagged as CVE-2012-1535 -- was already being exploited by hackers. An elite hacker gang uncovered by Symantec last week had been among those compromising Windows PCs using the Flash bug.
On Tuesday, Windows 8 RTM's IE10 continued to identify the integrated Flash Player as version 11.3.372.94, which lacks the Adobe fixes of last month, showing that Microsoft has not silently patched the problem.
One security professional took Microsoft to task for poor patch management.
"You would have thought that Microsoft would have had this all planned out previously," said Andrew Storms, director of security operations, in an interview over instant messaging today. "Now, it's like an afterthought."
Saying that the snafu over Flash was "very unlike them," meaning Microsoft's security team, Storms was puzzled at the dropped ball. "It's almost as if it was an entirely different team from the security group that made this -- or forgot -- this arrangement," he said.
Microsoft's Wee did say that the company hoped to do better in the future. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible," she said.
That may be difficult. While Microsoft has a monthly patching schedule -- today, in fact, is September's Patch Tuesday -- Adobe does not adhere to any set patching schedule for Flash Player.
Google, which has provided Flash Player with its Chrome browser for more than two years, has never had a problem keeping up with Adobe's here-and-there patching. In some instances, Google has actually beaten Adobe to the patch punch by shipping a Chrome update hours or even days, before Adobe releases fixed plug-ins for other browsers.
Microsoft will deliver the Flash Player update for IE10 on Windows 8 via Windows Update, as well as through Windows Server Update Services (WSUS).
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.