At the time, security experts criticized both Adobe and Microsoft for releasing unexpected updates -- Microsoft rarely deviates from its Patch Tuesday timetable -- and said those updates confused customers, especially enterprise IT staffers who rely on Microsoft's predictable schedule.
Even though the Flash updates will add more Patch Tuesday work for users, security professionals praised Adobe's change.
"Concentrating updates on a single day is a benefit for any organization that manages patch roll-outs," said Wolfgang Kandek, CTO of Qualys, in an email. "That way the update can be handled by the same decision process, which should streamline roll-outs and get Flash updates [installed] more widely."
Storms agreed. "In a few months, the Flash update will just be a regular part of the Patch Tuesday cycle," he predicted. "The move is going to force Adobe to get into a regular cycle with repeatable processes that their end users will come to recognize and appreciate."
Adobe spokeswoman Wieke Lips said her firm had "discussed both internally and coordinated with Microsoft" the move to Patch Tuesday.
Storms and Kandek suspected that Adobe's hand was forced -- whether of its own volition or at the urging of Microsoft -- when the latter decided to bundle Flash with IE10.
"The new Adobe timing is to accommodate the typical Patch Tuesday release schedule for Windows, which enterprise customers depend upon," Kandek said.
What was a surprise, Storms said, was that it took this long for Microsoft and Adobe to sync security releases, particularly after the backpedaling by Microsoft in September. "That was a clear sign that despite the executive decision to put Flash in IE10, nobody considered the ramifications," Storms said. "Sadly, the people left holding the bag were Microsoft users on their brand new Windows 8 platform."
In hindsight, Storms was right: If there was one company destined to ride Patch Tuesday's coattails, it was Adobe, which has adopted Microsoft's security coding practices and used some of its anti-exploit "sandboxing" technologies in its Reader and Flash.
Microsoft declined to answer questions about Adobe's decision, including whether Microsoft had pressed its partner to make the call. Instead, the company issued a statement attributed to Dave Forstrom, a director in the firm's Trustworthy Computing group, that said, "Our customers tell us that they strongly prefer a predictable cadence of security-update releases, and we aim to honor that preference."
While Adobe characterized the decision as one of convenience and predictability for users rather than a security improvement, Kandek saw it slightly different.