Microsoft to deliver Flash update to Windows 8 users 'shortly'

Microsoft to deliver Flash update to Windows 8 users 'shortly'

Summary: Microsoft has reversed course on a decision it announced last week. According to an official statement, Windows 8 users will receive critical security updates for Flash Player "shortly." But larger questions remain.

TOPICS: Security, Windows

Update 21-Sep-2012: Microsoft has released the Flash Player updates for IE 10 in Windows 8. See this post for details.

It looks like Windows 8 users won’t be at risk of attack from unpatched vulnerabilities in Adobe’s Flash Player much longer.

In an e-mailed statement I received late last night, Yunsun Wee, Director of Microsoft Trustworthy Computing, said:

In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers. This update will be available shortly. Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible.

That decision is the first step in correcting a serious security screw-up on Microsoft’s part.

See also:


Here’s the background:

Adobe released critical security updates for Flash Player on August 14 and August 21. Those patches were immediately available for installation on Internet Explorer 9 and earlier versions in Windows 7, Windows Vista, and Windows XP SP3. A plugin version was released promptly for Mozilla Firefox. The patches were also incorporated into Google Chrome and sent out via that browser’s automatic update mechanism.

But Internet Explorer 10, the default browser in Windows 8, incorporates its own version of Flash, which can’t be removed and can only be updated by Microsoft. Last week a Microsoft spokesperson told me (and other reporters as well, including ComputerWorld’s Gregg Keizer) that the fixes would not be available for Internet Explorer 10 until General Availability (GA) of Windows 8 in late October.

As of late last night, that decision is officially reversed.

Another source told me that the patch will be delivered via Windows Update before the end of next week. If that timing holds, then the relatively small population of Windows 8 users will be able to resume using Internet Explorer without taking extraordinary security precautions.

Wee’s announcement hints at a larger issue, which is how to align the update schedules for Adobe and Microsoft. That issue should have been settled months ago, but it appears that someone fumbled the handoff between Windows 8's release to manufacturing and its GA date. Microsoft's longstanding policy is to release security-related updates, including those for Internet Explorer, on the second Tuesday of each month. As Peter Bright of Ars Technica observed recently, Adobe normally releases its updates on the third or fourth Tuesday of the month:

If these policies are retained, then there will be a systematic vulnerability window. Microsoft will patch Internet Explorer, and then a week or two later, Adobe will reveal a raft of new Flash security flaws when it patches Flash. Windows users will then have to wait several weeks for Microsoft's next update.

The ideal solution, of course, would be for Adobe to shift its schedule so that it aligns with Microsoft’s.

This is a rare slip-up for Windows 8, which has otherwise been marching steadily toward its wide public release on October 26. As my ZDNet colleague Mary Branscombe observed yesterday, this gaffe is a "huge surprise" for another reason as well:

Security is a major focus for Windows 8, which has excelled in its other security improvements, and Microsoft usually has a process to ensure security is a priority. I'm assuming sanity will prevail and IT admins and BizSpark members and volume licensing subscribers evaluating Windows 8 won't continue to be vulnerable to known Flash vulnerabilities until GA in October.

But whatever decision, mistake or misunderstanding might turn out to be the explanation for this move, it's worrying for what it says about security process — which is something Microsoft has done pretty much right ever since Bill Gates hit the reset button on development after Blaster and retrained the entire company to think secure.

The decision to incorporate Flash into Windows 8 was a controversial one. It would be ironic if that decision, which was driven by the desire to make Flash more secure and reliable, actually made Windows users less secure.

Topics: Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I am always amused

    to read how Microsoft patches their vulnerabilities each second Thursday while Adobe patches their vulnerabilities each third or fourth Thursday.

    If they know their software is *that* buggy, why not spend some time and money to fix it, in the first place? Building upon something that is broken, always results in something that is even more broken -- and requires way more maintenance than fixing the broken thing.
    • All software has bugs and needs patches

      That's especially true for operating systems, which are large and complex. So OS X and the various Linux distributions and Android and Windows all require regular security updates.

      A great deal of effort goes into making sure that common vulnerabilities are found and fixed before they ship. That's the point of the Secure Development Lifecycle, which Microsoft uses now.

      But a world without patches? Not gonna happen no matter what OS you use.
      Ed Bott
      • thanks Ed

        Glad you got it from the source. I have restrained myself from saying on the sites that a patch was coming. I would have gotten a lot of crap like I always do because I am not a know expert. Just one of the slugs that crash and burn OS’s for fun and receive all Microsoft developer info delivered in my mail every day. Their is not one OS that is perfect if there was every one would use it and a lot of folks would be out of a job.
      • We do not disagree on most points

        Of course, all software has bugs.

        However, it is not true, that all software requires regular security updates. Software requires updating when bugs are fixed and new features added. We can the updates "security", when they fix bugs...

        On the other hand, Windows is so widely used, that most generic bugs should have been identified. Fact is, many of the bugs are already identified and known to the hackers community --- they are just not sharing with Microsoft, because that would mean less holes to exploit.. for whatever reasons.

        By the way, this is one of the areas where open source software development always trumps closed software development: fixing bugs. More eyes see more. But this is not what we discuss here. My concerns are that Microsoft sort of considers it enough to make noise producing "fixes" instead of fixing bugs wholesale, so to speak.

        Anyway, I am not arguing -- merely pointing out facts :)
        • The only difference between Microsoft and others...

 that Microsoft has "patch Tuesday". And they have "patch Tuesday" because IT departments everywhere demanded it. We want to have updates on a regular and predictable schedule so that they are less disruptive to our environments. And no open source does not "always trump closed software". More eyes? Sure, divided up among how many different distributions? And count up the numbers of patches and you will find that they are not that different. Its just that "patch Tuesday" is always the "I hate Microsoft" crowd's day to chant their mantra.
        • "Many eyes" is a dangerous myth

          I can stare at code all day and not see a security flaw (and, I've been in the software development business 30+ years (right from when I got out of engineering school)). You need a process, you need folks incented to find security problems, and you need someone to stand behind what's being shipped.

          Microsoft's Security Developement Lifecycle is pretty much the gold standard on how to properly reduce and try to eliminate security issues. It doesn't make Windows flawless, but it goes a long way towards managing risk properly (and, it includes "Patch Tuesday" as part of the process).

          Do a web search on "many eyes windows linux" and see what you find. Don't just disregard stuff that shows up on (for sure, you can discount it, but don't eliminate it completely).

          For what it's worth, this article is a discussion of process, not "code review", and it doesn't involve Microsoft code at all.
          • Gold standard?

            That would be the OpenBSD project:


            As for your suggested search on "many eyes windows linux", here's a shortcut, a link specifically for the Linux kernel:

            “Exploiting grsecurity/PaX with Dan Rosenberg and Jon Oberheide
            "May 18, 2011

            There, apparently, aren't "many eyes" on the Linux kernel. Although, there are some good ones on it.

            Microsoft has been on the right trajectory for the last 10 years, especially since the release of Windows Vista. There's still room for improvement, though, as shown by this Windows 8 RTM Flash Player fiasco.
            Rabid Howler Monkey
        • got it

          and no i dont like arguing my self
        • OSX looks to be moving to a monthly patching system

          It's sometimes good to know when you're getting updates.
          Michael Alan Goff
      • Patch Delays

        I just hope we don't end up in a situation with Windows 8 and Flash similar to Apple and Java, where patches are delayed even beyond the time it takes Adobe and Oracle to release updates. I'll be unhappy if Flash in IE10 is vulnerable to security issues that have already been patched in other browsers.
    • Wow... don't have a clue about software development, do you?
      • owo

        If you say so, apparently. ;)
    • interesting...

      i just installed mint 13 lde last night and went through about 400 MB worth of updates for programs and the operating system. its a dynamic process, and there will always be a need to patch programs and the os. the day you get an os that doesn't need patching is the day its so locked down no one wants to use it because it takes ridiculous amounts of time to do anything with it.
  • Best solution...

    Best solution is for Flash to be removed altogether from IE10. Second best solution is to move update responsibility back to Adobe so that they update it whenever needed.
    • Premature

      I don't disagree about getting rid of Flash, but it's too soon. Someone I support who is a rabid iPad lover just bought a laptop, only because some of his primary business functions require Flash. With Flash, he can do things on line that otherwise require him to visit a supplier in person - things that even the vendor's iOS app doesn't support. I also know a couple of people whose online business training videos require Flash.

      All of this will change, and there's definitely demand to support the vendors using HTML5 for users of iOS and other environments where Flash isn't supported. But, it's going to take a while before we can just do away with flash. These are business people - not just p0rn and online gamblers : -)
  • Kudos to Microsoft

    A certain other company would have stuck to their "you are updating it wrong" stance.
    • Or...

      just would have left Flash as an option plugin. Novel approach, huh?
    • Which company is that?

      Just wondering, because it isn't Apple anymore.
      Michael Alan Goff
  • Microsoft to deliver Flash update to Windows 8 users 'shortly'

    Microsoft is going to update flash which they would have done eventually anyway. Users did not have to "taking extraordinary security precautions" considering Microsoft Windows 8 is only available to power users at the moment who know the risks and how to handle them. There really was no story to begin with but 3 articles later we are still getting it. Praise does go to Microsoft for just releasing the patch earlier than expected.
    Loverock Davidson-
    • Holy...

      Your sig should be: Rev. Loverock Davidson, Church of Microsoft.