Microsoft to deliver Flash update to Windows 8 users 'shortly'
Summary: Microsoft has reversed course on a decision it announced last week. According to an official statement, Windows 8 users will receive critical security updates for Flash Player "shortly." But larger questions remain.
Update 21-Sep-2012: Microsoft has released the Flash Player updates for IE 10 in Windows 8. See this post for details.
It looks like Windows 8 users won’t be at risk of attack from unpatched vulnerabilities in Adobe’s Flash Player much longer.
In an e-mailed statement I received late last night, Yunsun Wee, Director of Microsoft Trustworthy Computing, said:
In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers. This update will be available shortly. Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible.
That decision is the first step in correcting a serious security screw-up on Microsoft’s part.
See also:
- Microsoft puts Windows 8 users at risk with missing Flash update
- Protect yourself from Flash attacks in Internet Explorer
- Why you should care about automatic updates for Flash Player
- How many Flash Player updates is too many?
Here’s the background:
Adobe released critical security updates for Flash Player on August 14 and August 21. Those patches were immediately available for installation on Internet Explorer 9 and earlier versions in Windows 7, Windows Vista, and Windows XP SP3. A plugin version was released promptly for Mozilla Firefox. The patches were also incorporated into Google Chrome and sent out via that browser’s automatic update mechanism.
But Internet Explorer 10, the default browser in Windows 8, incorporates its own version of Flash, which can’t be removed and can only be updated by Microsoft. Last week a Microsoft spokesperson told me (and other reporters as well, including ComputerWorld’s Gregg Keizer) that the fixes would not be available for Internet Explorer 10 until General Availability (GA) of Windows 8 in late October.
As of late last night, that decision is officially reversed.
Another source told me that the patch will be delivered via Windows Update before the end of next week. If that timing holds, then the relatively small population of Windows 8 users will be able to resume using Internet Explorer without taking extraordinary security precautions.
Wee’s announcement hints at a larger issue, which is how to align the update schedules for Adobe and Microsoft. That issue should have been settled months ago, but it appears that someone fumbled the handoff between Windows 8's release to manufacturing and its GA date. Microsoft's longstanding policy is to release security-related updates, including those for Internet Explorer, on the second Tuesday of each month. As Peter Bright of Ars Technica observed recently, Adobe normally releases its updates on the third or fourth Tuesday of the month:
If these policies are retained, then there will be a systematic vulnerability window. Microsoft will patch Internet Explorer, and then a week or two later, Adobe will reveal a raft of new Flash security flaws when it patches Flash. Windows users will then have to wait several weeks for Microsoft's next update.
The ideal solution, of course, would be for Adobe to shift its schedule so that it aligns with Microsoft’s.
This is a rare slip-up for Windows 8, which has otherwise been marching steadily toward its wide public release on October 26. As my ZDNet colleague Mary Branscombe observed yesterday, this gaffe is a "huge surprise" for another reason as well:
Security is a major focus for Windows 8, which has excelled in its other security improvements, and Microsoft usually has a process to ensure security is a priority. I'm assuming sanity will prevail and IT admins and BizSpark members and volume licensing subscribers evaluating Windows 8 won't continue to be vulnerable to known Flash vulnerabilities until GA in October.
But whatever decision, mistake or misunderstanding might turn out to be the explanation for this move, it's worrying for what it says about security process — which is something Microsoft has done pretty much right ever since Bill Gates hit the reset button on development after Blaster and retrained the entire company to think secure.
The decision to incorporate Flash into Windows 8 was a controversial one. It would be ironic if that decision, which was driven by the desire to make Flash more secure and reliable, actually made Windows users less secure.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I am always amused
If they know their software is *that* buggy, why not spend some time and money to fix it, in the first place? Building upon something that is broken, always results in something that is even more broken -- and requires way more maintenance than fixing the broken thing.
All software has bugs and needs patches
A great deal of effort goes into making sure that common vulnerabilities are found and fixed before they ship. That's the point of the Secure Development Lifecycle, which Microsoft uses now.
But a world without patches? Not gonna happen no matter what OS you use.
thanks Ed
We do not disagree on most points
However, it is not true, that all software requires regular security updates. Software requires updating when bugs are fixed and new features added. We can the updates "security", when they fix bugs...
On the other hand, Windows is so widely used, that most generic bugs should have been identified. Fact is, many of the bugs are already identified and known to the hackers community --- they are just not sharing with Microsoft, because that would mean less holes to exploit.. for whatever reasons.
By the way, this is one of the areas where open source software development always trumps closed software development: fixing bugs. More eyes see more. But this is not what we discuss here. My concerns are that Microsoft sort of considers it enough to make noise producing "fixes" instead of fixing bugs wholesale, so to speak.
Anyway, I am not arguing -- merely pointing out facts :)
The only difference between Microsoft and others...
"Many eyes" is a dangerous myth
Microsoft's Security Developement Lifecycle is pretty much the gold standard on how to properly reduce and try to eliminate security issues. It doesn't make Windows flawless, but it goes a long way towards managing risk properly (and, it includes "Patch Tuesday" as part of the process).
Do a web search on "many eyes windows linux" and see what you find. Don't just disregard stuff that shows up on microsoft.com (for sure, you can discount it, but don't eliminate it completely).
For what it's worth, this article is a discussion of process, not "code review", and it doesn't involve Microsoft code at all.
Gold standard?
http://openbsd.org/security.html
As for your suggested search on "many eyes windows linux", here's a shortcut, a link specifically for the Linux kernel:
“Exploiting grsecurity/PaX with Dan Rosenberg and Jon Oberheide
"May 18, 2011
http://resources.infosecinstitute.com/exploiting-gresecuritypax/
There, apparently, aren't "many eyes" on the Linux kernel. Although, there are some good ones on it.
Microsoft has been on the right trajectory for the last 10 years, especially since the release of Windows Vista. There's still room for improvement, though, as shown by this Windows 8 RTM Flash Player fiasco.
got it
OSX looks to be moving to a monthly patching system
Patch Delays
hey
Wow...
owo
interesting...
Best solution...
Premature
All of this will change, and there's definitely demand to support the vendors using HTML5 for users of iOS and other environments where Flash isn't supported. But, it's going to take a while before we can just do away with flash. These are business people - not just p0rn and online gamblers : -)
hey
Kudos to Microsoft
Or...
Which company is that?