Flash bundled in the browser: Who owns the bugs?

Flash bundled in the browser: Who owns the bugs?

Summary: Google Chrome and Microsoft Internet Explorer both bundle Adobe Flash Player. Is a vulnerability in Flash a vulnerability in the browser now?


I was surprised recently, when browsing Microsoft's list of non-security updates to products, to see a recent update to Internet Explorer in there labeled "Security Update for Internet Explorer Flash Player for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, and Windows Server 2012 (KB2929825, which I wrote about here)." What is a "Security Update" doing in this list as opposed to receiving a security bulletin of the type Microsoft will release tomorrow on Patch Tuesday?

It all boiled down to one question: If Microsoft and Google bundle some other product as part of theirs — specifically Adobe Flash Player — do vulnerabilities in Flash Player then become, by extension, vulnerabilities in the browser?

I think the question is more than academic (not a lot more, but more), because an organization might well treat official security bulletins with more urgency than other updates. Microsoft is in fact inconsistent in their terminology in this case. This month's Patch Tuesday Advance Notification bulletin contains the stock reference to the updates not described in actual security bulletins:

Non-Security Updates on MU, WU, and WSUS

For information about non-security releases on Windows Update and Microsoft Update, please see:

    • Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content. Includes all Windows content.

So the bulletin refers to the document as containing "Non-Security Updates" and yet, inside the document, the Flash update is labeled as "New security content".

Microsoft also takes a unique approach to Flash Player updates in the bulletin they publish for them: Microsoft Security Advisory (2755801) — Update for Vulnerabilities in Adobe Flash Player in Internet Explorer. The bulletin is currently at version 19.0, covering all updates to the bundled Flash Player since it was first released in Internet Explorer 10. Perhaps they do this in other cases but I can't recall them.

But of course, this isn't a Microsoft product entirely, it's a third party product bundled with a Microsoft product. Surely that is a distinction which explains why Microsoft doesn't publish a bulletin for it, right? Once again, Microsoft is inconsistent here. Last August Microsoft issued a security bulletin for Exchange Server because of vulnerabilities in a third-party component written by Oracle: "The security update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version."

It's my understanding that the Flash Player is simply bundled with Internet Explorer, whereas the Oracle component in Exchange is compiled in as part of it. If this is the distinction, it's a distinction without a difference. Why should a customer care whether the files are compiled and/or linked in with Microsoft binaries or just along for the ride with other Microsoft binaries? In either case, the customer acquired a Microsoft product and, as part of it, got the third party component. A problem with the third party component is clearly Microsoft's responsibility.

In fact, making updates to Flash Microsoft's responsibility was the whole point of bundling it with the browser. Google Chrome was the first browser to do this, still only on Windows if I understand correctly. The idea is that Chrome is very good at updating users automatically and Flash isn't. Because keeping Flash updated is so important, Google and Microsoft now bundle it so that it will get updated through the browser's update channel.

Updates to the Flash Player actually show up first in Google Chrome. Much, I suspect, to Adobe's annoyance, Google always seems to issue the updated version of Chrome the day before Adobe releases the update to Flash. If you see a Stable Channel update to Chrome for Windows with no obvious explanation, install it and check the Flash version number and you'll see: go to chrome://flash/ in Chrome and look for the "Flash plugin" entries.

Does Google treat Flash vulnerabilities differently in their bulletins? I think the best answer to that is yes, but Google has never provided the level of organization and detail in their security bulletins that Microsoft has. For examples, click here for the blog entry describing the most recent Flash Player update. The Flash update is the only change in that entry. Click here for the last Stable Channel update blog entry prior to that, which addressed numerous vulnerabilities.

The essential information is there in the Google blog entries, but the level of detail and facilities for managed distribution of updates are not. For this kind of control and information, Microsoft has few peers.

So why don't they just issue a security bulletin when Flash Player gets updated in Internet Explorer? Clearly it's a security event of importance. There's no good reason to play it down.

Topics: Security, Browser, Google, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Whose owns the bugs?

    I don't know what that means, do you?
    • fixed

      I have no idea how I could make such a stupid error. Sorry.
  • Re: Flash bundled in the browsers….

    I tend to try and avoid Flash bundled browsers such as Chrome and never Internet Explorer as I work with OS X.

    I can indeed see a threat though as I question as to whether Flash bundled browsers receive critical Flash updates as quickly as other browsers.

    Clearly there are no such issues with Safari 7 on OS X Mavericks and Safari 6.1 on OS X Mountain Lion.

    Unfortunately I have been unable to avoid Chrome on OS X 10.6 Snow leopard which is the latest version of OS X that will run on my 2006 Mac Mini. Running the default Safari 5 is inadvisable.
  • Perhaps Steve Jobs

    was right to ban Flash after all?
    Tony Burzio
    • Yes and no

      Flash wasn't ready at the time, but a load of patches isn't the reason to want to banish something.

      Unless you think they should banish some of their own software?
      Michael Alan Goff
  • Flash Player in Chrome is it's own Creation!

    I don't know about MS IE integrated plugin, but for Google Chrome browser the Flash plugin is called NPAPI and it runs in Pepper. Which is basically a sandboxed container itself running within Chrome Browser. Which is slated for elimination sometime in the future anyway. I'm talking about plugin though. But basically we're talking about a Browser that runs in a sandbox itself, that runs these plugins (at least till they kill them) in a sandbox, so I really don't get how there can be any vulnerabilities in light of this revelation! ;-P

    Now if you're instead using Chromium, that's a different story depending on the OS platform. But again it's a browser running in a sandbox with all plugins also running sandboxed away from the sandboxed browser. So how in the world you can have problems other than sandbox issue is beyond me. It's just a player and Google gives you complete control over which plugins you run or not according to your choice. I use click to run settings and Flashblock extensions just to give even better control!

    Because don't dare be messing with my ability to run Flash on the web, because just far too much online is still using it and I happen to like Flash. Mainly because there still is no viable replacement out yet and Steve Jobs was wrong..... DEAD WRONG about Flash dying before he did!
    • OOPS.... I put NPAPI instead of PPAPI!

      Simply Pepper Plugin API instead of Netscape Plugin API! ......and who owns the vulnerabilities? Adobe still owns them and as soon as Google gets a report from Adobe, they go right to work in plugging them. So I'm thinking you are most likely just a Google hater and not really into using the leading browser anymore. Especially if you're still stuck using and applauding M$'s IE PoS!!! ;-P