Adobe and Microsoft release Flash security updates in sync

Adobe and Microsoft release Flash security updates in sync

Summary: Adobe today announced the release of a major security update for its Flash Player and Air software. Microsoft delivered its version of that patch roughly an hour later, significantly improving on its embarrassingly late performance last month.

SHARE:

Adobe today announced the release of a set of security updates for its Flash Player software on "all platforms." But the list as initially published this morning was notably missing any discussion of the Flash Player software included in Internet Explorer 10 on Windows 8.

An hour or so later, the reason for that omission became clear, as Microsoft announced the availability of a corresponding update for IE 10.

Adobe's updates are described in Security Bulletin APSB12-22. The fixes cover 25 separate vulnerability disclosures.

The Microsoft update is Security Advisory 2755801, which in turn references a support document covering "vulnerabilities in Adobe Flash Player in Internet Explorer 10 (KB2758994)."

Microsoft's announcements appeared unexpectedly on its Security updates and tools page, where the Flash Player update for Windows 8 for x64-based systems is now available (the x86 version is here). Additional updates are available for Windows Server 2012. For the Windows 8 Release Preview an x86 update and x64 update are available

The IE 10 announcement appeared on the Microsoft Security Response Center Blog, in a blog post by Yunsun Wee, director of Microsoft Trustworthy Computing:

Today we revised Security Advisory 2755801 to address issues in Adobe Flash Player in Internet Explorer 10, in conjunction with Adobe’s update process. Customers who have automatic updates enabled will not need to take any action because protections will be downloaded and installed automatically. Customers who do not use automatic updates should apply the guidance in the advisory immediately using update management software, or by checking the Microsoft Update service, to help ensure protection.

We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

Adobe's bulletin lists supported platforms individually. Adobe recommens that Windows and Mac users check the Flash version (bookmark this test page). If you are running the following versions or earlier you are vulnerable and need to update:

  • Adobe Flash Player 11.4.402.278 and earlier versions for Windows versions other than Windows 8
  • Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh

After applying this security update, the correct version for both platforms should be Adobe Flash Player 11.4.402.287.

Adobe has since updated its security bulletin to include this line: "Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.375.10 for Windows." (Yes, that number is correct; it's out of sync with the other Windows versions.)

Adobe also recommends that users of Adobe AIR 3.4.0.2540 for Windows and Macintosh update to Adobe AIR 3.4.0.2710.

Adobe’s notes specifically cover Google Chrome, which includes Flash as a component. The latest Google Chrome version, which will be available through Google’s auto-updater, will include Adobe Flash Player 11.4.31.110 for Windows and Linux, and Flash Player 11.4.402.287 for Macintosh. (Yes, that’s correct; the Chrome version number also doesn’t sync with the Adobe-released version.)

As of this morning, the current stable version of Chrome included the outdated and insecure Flash Player 11.3.31.331. Likewise, the most recently announced version in the dev channel includes Flash Player includes Flash Player 11.4.31.108, which also needs to be updated.

Update: A post this morning on the Google Chrome Releases blog announced the release to the Stable channel of Chrome 22.0.1229.92, which includes the necessary security fixes.

The bulletin also includes details on Flash updates for Linux and Android-based devices.

Internet Explorer 10 in Windows 8 resembles Chrome in that it includes Flash Player as a built-in component. In fact, Adobe's security bulletin should include an asterisk in its discussion of Windows, because that version number only applies to the ActiveX component and plugin version for Internet Explorer 9 and earlier versions.

Vulnerabilities in Adobe's nearly ubiquitous Flash Player have long been a serious security problem for Windows users. This type of third-party plugin can attack Macs as well, as illustrated by this year's Flashback outbreak (which used Java exploits).

Microsoft took an uncharacteristically long time—exactly one month—to incorporate Adobe’s last Flash security fixes into IE 10. And even that schedule was accelerated.

After that embarrassing delay, Microsoft said it intended to do much better next time:

We recognize there has been some discussion about our update process as it relates to Adobe Flash Player. Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

Microsoft’s commitment in that announcement was that customers could “expect the following … with respect to Adobe Flash Player in Internet Explorer 10”:

  • On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing.
  • When the threat landscape requires action outside of Adobe’s normal update cadence, we will also work to align our release schedules. For example, this may mean that in some cases we will issue updates outside of our regular monthly security bulletin release.

Today’s announcement from Adobe comes one day before Microsoft’s regularly scheduled Patch Tuesday, when it releases security updates. The advance notification list published last week did not appear to include this update. This Flash update will be installed automatically using the default Windows Update settings on Windows 8.

See also:

Topics: Software, Security, Windows, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • I think we will see more of joint effort in releasing the patches

    and Updates for Adobe Flash and AIR in future. It looks like both Microsoft and Adobe are getting into grove of releasing Flash for IE10 in a synchronous way.
    Ram U
    • It's a dance as graceful as two elephants

      and it will never get any better than this with an endless patching of serious holes.
      Flash should be dying btw, just like desktop Windows.
      Mikael_z
      • Yet IE has fewer vulnerabilities than Chrome and (especially) Firefox

        Have been like that for years now. By your logic Chrome and Firefox should die too. Great plan.
        honeymonster
      • When did patching become a bad thing?

        Or would you rather software continue to have security problems and bugs?
        Michael Alan Goff
        • Read the comment he's (henymonster's) replying to

          'nough said
          MrElectrifyer
  • It is already

    Available using Windows update AND it has been pushed to my WSUS server as well, which is a bit odd considering patch Tuesday is tomorrow. Out of band or so it seems.
    sjaak327
  • Adobe and Microsoft release Flash security updates in sync

    Lets see if this improves the security and update period for Flash. Maybe Microsoft knocked some sense into them and showed them the proper way to do patching and how long it should take to update.
    Loverock Davidson-
  • Version

    Windows should be 11.4.402.287
    sandmich
  • Adobe

    Thanks for the Heads Up, Ed... Went right in "withouta" hitch!!! Now I will check back in later to see all of the negative comments I am sure you will be getting!!!! By the way, the link you provided was great!!!
    puppadave
  • Boo, restart

    "In some cases, this update does not require a restart. If the required files are being used, this update will require a restart. If this behavior occurs, you receive a message that advises you to restart."

    This is really silly, since I never recall Adobe's installer needing a restart, so thanks MS for forcing us to use yours. Last month's MS Flash update didn't need a restart here, but this one does. IE wasn't open either time. I guess this is going to be a random thing. Or perhaps I'll have to start killing Explore.exe's and running the manual installer from Task Manager to avoid a restart.
    rseiler
    • The horror !

      This one indeed needed a restart, hardly the end of the world, maybe it would have been better for Microsoft to have waited one day, so that this update would have been part of the patch tuesday patches, which probably requires a restart anyway.

      But again, hardly the end of the world.
      sjaak327
    • Adobe Flash update and restarts

      It has not happened often, but a few Flash updates this year required a restart on my Win 7 x64 based system.
      docqualizer
  • Yet Another Flash Vulnerability

    When is flash going to die and free us all from this almost daily barrage of slack code patching.
    Alan Smithie
  • Perfect timing.

    I just added the Adobe stuff to my WSUS using Local Update Publisher last Friday and up till this morning my entire corporate network was finally up to date. Here we go again.
    PepperdotNet
  • I think

    I think it's silly that MS has to clean up after such crapware.
    NoAxToGrind
  • Wow. You need to think real hard to figure this out.

    I have version 11.4.402.265, but I need version 11.4.402.287 (unless of course, I'm running IE10 on Win8, in which case I'd need version 11.3.375.10).

    I'm going to enjoy explaining this to my father-in-law when he asks. What happens on Thursday, when I'm going to need version 11.4.402.291 or next week when it will be 11.4.402.312? And, it needs a reboot??

    Adobe really needs to get their house in order.
    Flydog57
  • Just in time for the Official Window8 release

    Seems like they worked up the update kinks just in time for the Retail/Consumer release.
    bobiroc
  • built-in OR built-out....

    the Flash player updates and their version fiasco looks extremely untidy....
    sreesiv
  • surprise!!

    flash update has a surprise built in. extra third party apps get installed as part of the flash update. do these guys never learn? even microsoft has figured out not to do that.
    lkujala