Microsoft to deliver Flash update to Windows 8 users 'shortly'

Update 21-Sep-2012: Microsoft has released the Flash Player updates for IE 10 in Windows 8. See this post for details.

It looks like Windows 8 users won’t be at risk of attack from unpatched vulnerabilities in Adobe’s Flash Player much longer.

In an e-mailed statement I received late last night, Yunsun Wee, Director of Microsoft Trustworthy Computing, said:

In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers. This update will be available shortly. Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible.

That decision is the first step in correcting a serious security screw-up on Microsoft’s part.

See also:

• Microsoft puts Windows 8 users at risk with missing Flash update
• Protect yourself from Flash attacks in Internet Explorer
• Why you should care about automatic updates for Flash Player
• How many Flash Player updates is too many?

Here’s the background:

Adobe released critical security updates for Flash Player on August 14 and August 21. Those patches were immediately available for installation on Internet Explorer 9 and earlier versions in Windows 7, Windows Vista, and Windows XP SP3. A plugin version was released promptly for Mozilla Firefox. The patches were also incorporated into Google Chrome and sent out via that browser’s automatic update mechanism.

But Internet Explorer 10, the default browser in Windows 8, incorporates its own version of Flash, which can’t be removed and can only be updated by Microsoft. Last week a Microsoft spokesperson told me (and other reporters as well, including ComputerWorld’s Gregg Keizer) that the fixes would not be available for Internet Explorer 10 until General Availability (GA) of Windows 8 in late October.

As of late last night, that decision is officially reversed.

Another source told me that the patch will be delivered via Windows Update before the end of next week. If that timing holds, then the relatively small population of Windows 8 users will be able to resume using Internet Explorer without taking extraordinary security precautions.

Wee’s announcement hints at a larger issue, which is how to align the update schedules for Adobe and Microsoft. That issue should have been settled months ago, but it appears that someone fumbled the handoff between Windows 8's release to manufacturing and its GA date. Microsoft's longstanding policy is to release security-related updates, including those for Internet Explorer, on the second Tuesday of each month. As Peter Bright of Ars Technica observed recently, Adobe normally releases its updates on the third or fourth Tuesday of the month:

If these policies are retained, then there will be a systematic vulnerability window. Microsoft will patch Internet Explorer, and then a week or two later, Adobe will reveal a raft of new Flash security flaws when it patches Flash. Windows users will then have to wait several weeks for Microsoft's next update.

The ideal solution, of course, would be for Adobe to shift its schedule so that it aligns with Microsoft’s.

This is a rare slip-up for Windows 8, which has otherwise been marching steadily toward its wide public release on October 26. As my ZDNet colleague Mary Branscombe observed yesterday, this gaffe is a "huge surprise" for another reason as well:

Security is a major focus for Windows 8, which has excelled in its other security improvements, and Microsoft usually has a process to ensure security is a priority. I'm assuming sanity will prevail and IT admins and BizSpark members and volume licensing subscribers evaluating Windows 8 won't continue to be vulnerable to known Flash vulnerabilities until GA in October.

But whatever decision, mistake or misunderstanding might turn out to be the explanation for this move, it's worrying for what it says about security process — which is something Microsoft has done pretty much right ever since Bill Gates hit the reset button on development after Blaster and retrained the entire company to think secure.

The decision to incorporate Flash into Windows 8 was a controversial one. It would be ironic if that decision, which was driven by the desire to make Flash more secure and reliable, actually made Windows users less secure.