Flash bundled in the browser: Who owns the bugs?
I was surprised recently, when browsing Microsoft's list of non-security updates to products, to see a recent update to Internet Explorer in there labeled "Security Update for Internet Explorer Flash Player for Windows 8.1, Windows RT 8.1, Windows Server 2012 R2, Windows 8, Windows RT, and Windows Server 2012 (KB2929825, which I wrote about here)." What is a "Security Update" doing in this list as opposed to receiving a security bulletin of the type Microsoft will release tomorrow on Patch Tuesday?
It all boiled down to one question: If Microsoft and Google bundle some other product as part of theirs — specifically Adobe Flash Player — do vulnerabilities in Flash Player then become, by extension, vulnerabilities in the browser?
I think the question is more than academic (not a lot more, but more), because an organization might well treat official security bulletins with more urgency than other updates. Microsoft is in fact inconsistent in their terminology in this case. This month's Patch Tuesday Advance Notification bulletin contains the stock reference to the updates not described in actual security bulletins:
Non-Security Updates on MU, WU, and WSUSFor information about non-security releases on Windows Update and Microsoft Update, please see:
- Microsoft Knowledge Base Article 894199: Description of Software Update Services and Windows Server Update Services changes in content. Includes all Windows content.
So the bulletin refers to the document as containing "Non-Security Updates" and yet, inside the document, the Flash update is labeled as "New security content".
Microsoft also takes a unique approach to Flash Player updates in the bulletin they publish for them: Microsoft Security Advisory (2755801) — Update for Vulnerabilities in Adobe Flash Player in Internet Explorer. The bulletin is currently at version 19.0, covering all updates to the bundled Flash Player since it was first released in Internet Explorer 10. Perhaps they do this in other cases but I can't recall them.
But of course, this isn't a Microsoft product entirely, it's a third party product bundled with a Microsoft product. Surely that is a distinction which explains why Microsoft doesn't publish a bulletin for it, right? Once again, Microsoft is inconsistent here. Last August Microsoft issued a security bulletin for Exchange Server because of vulnerabilities in a third-party component written by Oracle: "The security update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version."
It's my understanding that the Flash Player is simply bundled with Internet Explorer, whereas the Oracle component in Exchange is compiled in as part of it. If this is the distinction, it's a distinction without a difference. Why should a customer care whether the files are compiled and/or linked in with Microsoft binaries or just along for the ride with other Microsoft binaries? In either case, the customer acquired a Microsoft product and, as part of it, got the third party component. A problem with the third party component is clearly Microsoft's responsibility.
In fact, making updates to Flash Microsoft's responsibility was the whole point of bundling it with the browser. Google Chrome was the first browser to do this, still only on Windows if I understand correctly. The idea is that Chrome is very good at updating users automatically and Flash isn't. Because keeping Flash updated is so important, Google and Microsoft now bundle it so that it will get updated through the browser's update channel.
Updates to the Flash Player actually show up first in Google Chrome. Much, I suspect, to Adobe's annoyance, Google always seems to issue the updated version of Chrome the day before Adobe releases the update to Flash. If you see a Stable Channel update to Chrome for Windows with no obvious explanation, install it and check the Flash version number and you'll see: go to chrome://flash/ in Chrome and look for the "Flash plugin" entries.
Does Google treat Flash vulnerabilities differently in their bulletins? I think the best answer to that is yes, but Google has never provided the level of organization and detail in their security bulletins that Microsoft has. For examples, click here for the blog entry describing the most recent Flash Player update. The Flash update is the only change in that entry. Click here for the last Stable Channel update blog entry prior to that, which addressed numerous vulnerabilities.
The essential information is there in the Google blog entries, but the level of detail and facilities for managed distribution of updates are not. For this kind of control and information, Microsoft has few peers.
So why don't they just issue a security bulletin when Flash Player gets updated in Internet Explorer? Clearly it's a security event of importance. There's no good reason to play it down.