MUST READ: Microsoft unleashes bug bounty program — for betas, too

Topic: Browser

Investigate

Why Flash updates might need to be delayed for IE, at least briefly

Summary: IE's Flash problem was communication not security, but there are reasons why Flash updates might sometimes take longer. The bigger question is how long Flash stays around.

Mary Branscombe

By Mary Branscombe for 500 words into the future |

Microsoft has now made it clear that saying that the version of Flash included with IE10 in Windows 8 RTM wouldn't get updated until October was indeed a mistake, courtesy of some crossed wires and internal communication problems.

Flash Player
It's no bad thing that Microsoft takes the time to test Flash updates - but how much longer will it be around?

The Flash update should be on your system by now if you use Automatic Updates. And no, you won't have to wait for the monthly Patch Tuesday release to get any further Flash updates; if an update for Flash comes along between the usual quarterly update schedule for Flash or the usual monthly update schedule for IE, Microsoft will push it out as soon as it's ready (like it put out a fix on Friday for the latest zero day vulnerability in IE9).

The wording of "this may mean that in some cases we will issue updates outside of our regular monthly security bulletin release" isn't quite as strong as we'd like it to be, but it is typical cautious security speak rather than marketing fluff and on balance, that's perhaps more reassuring.

Better the devil you know?

Is it bad that there was a zero-day vulnerability in IE9? Of course. Is it a reason to dump IE? Only if you can find a browser that doesn't have any bugs or security issues.

And no, that wouldn't be Chrome or Firefox; Trend Micro did the sums and in 2011 Chrome had 275 new vulnerabilities; in fact the number of vulnerabilities in Chrome goes up every year. Firefox had 97 vulnerabilities; since its dark days in 2009 Firefox has been having steadily fewer vulnerabilities but that's still more than twice as many as the 45 vulnerabilities in IE in 2011 - a number that's been gong down every year for the last five years.

If you only count zero-day vulnerabilities IE and Chrome were neck and neck at six each with four for Firefox. The question is not whether browsers have security issues - they all do - but how quickly and thoroughly they address them.

Taking the time to test

Those 'out of band' Flash updates in IE won't always be at exactly the same time as the update that comes from Adobe and as long as the delay is fairly short, that's not a bad thing.

It means Microsoft is taking the time to test and check the updates it gets from Adobe rather than just pushing them out straight away. Microsoft can presumably do a better job than Adobe at the specifics of testing updates for compatibility with the versions of Windows they're heading for. At the very least it's another check that the fix works. And taking time to double-check the updates and the way they integrate with IE10 will avoid the kind of problems Google had earlier in the year when it pushed out a security update to the version of Flash built into Chrome only to re-introduce a security bug that a previous update had fixed.

Why wasn't more of this sorted out earlier on? Originally Microsoft had said there wouldn't be any plug-ins in the WinRT version of IE10 or on Windows RT; while Flash integration was presumably always a fallback plan, it wasn't announced (or presumably decided on) until relatively recently. Perhaps Microsoft hoped more sites would switch to HTML5 video and audio or build WinRT apps to replace their Flash sites, just as they've had to find other ways of delivering content for iPhones and iPads.

Wither Flash

Flash has always been about doing things browsers haven't been able to do; it's easier for one company to develop and update proprietary code than to suggest, negotiate and co-ordinate a standard all the browsers can implement and then have them all implement it in compatible ways.

As HTML5 gets more capable, what Flash does now gets less important because the browser can do it

As HTML5 gets more capable, what Flash does now gets less important because the browser can do it. Some of what Flash is still better at (particularly for DRM) is going to get baked into applications based on the AIR runtime (for WinRT and iOS and pretty much every tablet and phone platform except the BlackBerry PlayBook, that means the necessary parts of the AIR runtime get included in each app, which makes them a little larger but gives developers flexibility).

On the desktop, where you can use Flash with any site, the plug-in isn't dying any time soon, but the performance and security issues of plug-ins in general and the fact that mobile browsing is becoming a larger and larger part of the market mean that Flash and all the other browser add-ons will eventually fade away. Of course, that just leaves us with all those apps to keep secure and up to date...

Topics: Browser, Microsoft, Security, Web development

Mary Branscombe

About Mary Branscombe

Mary Branscombe is a freelance tech journalist. Mary has been a technology writer for nearly two decades, covering everything from early versions of Windows and Office to the first smartphones, the arrival of the web and most things inbetween.

Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion

  • It's awfully convenient...

    That you left the reason for Chrome's higher numbers of vulnerabilities out of the article despite using it as a crutch to prop-up Internet Explorer. It's pretty widely known that Google throws vastly more financial resources at security researchers and amateur hackers than any other browser vendor. It's much easier to find hundreds of previously unknown vulnerabilities when you are not waiting for them to be actively exploited in the wild, and are instead seeking them out so they can be fixed before ordinary users are attacked.

    Additionally, IE's lack of new vulnerabilities can be easily down-played when you consider it is the second oldest browser on the market today. I would hope that a software product that originally shipped with Windows 95 and has been in a "mature" state for almost 20 years has fewer new vulnerabilities than a competing product that has only been on the market for about five years (Google Chrome's initial release was in 2008).

    Speaking as someone who generally likes ZD Net's tech coverage, this article kinda screams "paid shill" to those of us who know the browser market. Keep in mind this comment isn't an attack on IE, just criticism that the article doesn't paint a very accurate picture.
    Dyndrilliac
    Reply Vote

    • Your Logic Is Flawed

      Unless you can cite a valid article that states Google spends more on security research on CHROME than Microsoft does on IE than your statement is worthless. Microsoft spends a lot of money securing their products (arguably much more so now than before, but that can be said with most companies that have been around as long as they have). The problem is neither company breaks down expenses that definitively to compare.

      When you look at the evolution of security, it's actually easier to secure a new product than an existing mainstream product. Exploits that weren't expected/planned for are being executed on a daily basis and they need to update all the legacy code to a point where it's easier to start from scratch. Also, IE is a higher priority target as more users use it than any other browser. While it still doesn't excuse Microsoft, their response time to this point has been solid on every major security event that I've heard about in the past two years. Zero day vulnerabilities suck, the trick is how quick you fix the leak.

      Had the security company done what a good security company does, it would have been reported to Microsoft first and they would have waited till a fix was created before releasing it on the world.
      lilbubba
      Reply Vote

    • It's not quite IE 6 here

      Like all the browsers, IE has been substantially rewritten many times. Suggesting that the IE 10 code is comparable to the IE 4 or IE 6 codebase is like saying that Firefox 4 is still Netscape Navigator underneath. And I'm not sure why you think Microsoft is sitting on its thumbs waiting for exploits to just show up rather than actively testing its code, given the substantial investment it's made in security analysis from fuzz testing to sponsoring security competitions to working with security researchers.

      In fact, newer code ought to have fewer vulnerabilities because it should have been written with modern knowledge of security and attack surfaces.

      If throwing money at the problem could fix security, I'd expect Mac OS and iOS to be bullet proof (they're not). Mac OS is protected by its relatively small market share and the reason we haven't seen a major attack on iOS is that zero day vulnerabilities are 'wasted' on jailbreaking phones. That's not an attack on Safari or any other browser, just a suggestion that your comment smacks rather of special pleading.
      mary.branscombe
      Reply Vote

      • an attack on safari? where?

        safari must be one of the least secure browsers in history. since apple abandoned safari 6 on windows and snow leopard, it has left both platforms susceptible to security issues (121 or so), forcing them to choose other browsers or risk exposure to security vulnerabilities.
        archangel127
        Reply Vote

  • The Important Thing Is The Exposure To Those Vulnerabilities

    Having lots of vulnerabilities can be mitigated by having them patched quickly: the longer a vulnerability goes unpatched, the more likely users will be pwned. Historically, Internet Explorer has had the worst record in this regard.
    ldo17
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close