Why Flash updates might need to be delayed for IE, at least briefly

IE's Flash problem was communication not security, but there are reasons why Flash updates might sometimes take longer. The bigger question is how long Flash stays around.
Written by Mary Branscombe, Contributor

Microsoft has now made it clear that saying that the version of Flash included with IE10 in Windows 8 RTM wouldn't get updated until October was indeed a mistake, courtesy of some crossed wires and internal communication problems.

Flash Player
It's no bad thing that Microsoft takes the time to test Flash updates - but how much longer will it be around?

The Flash update should be on your system by now if you use Automatic Updates. And no, you won't have to wait for the monthly Patch Tuesday release to get any further Flash updates; if an update for Flash comes along between the usual quarterly update schedule for Flash or the usual monthly update schedule for IE, Microsoft will push it out as soon as it's ready (like it put out a fix on Friday for the latest zero day vulnerability in IE9).

The wording of "this may mean that in some cases we will issue updates outside of our regular monthly security bulletin release" isn't quite as strong as we'd like it to be, but it is typical cautious security speak rather than marketing fluff and on balance, that's perhaps more reassuring.

Better the devil you know?

Is it bad that there was a zero-day vulnerability in IE9? Of course. Is it a reason to dump IE? Only if you can find a browser that doesn't have any bugs or security issues.

And no, that wouldn't be Chrome or Firefox; Trend Micro did the sums and in 2011 Chrome had 275 new vulnerabilities; in fact the number of vulnerabilities in Chrome goes up every year. Firefox had 97 vulnerabilities; since its dark days in 2009 Firefox has been having steadily fewer vulnerabilities but that's still more than twice as many as the 45 vulnerabilities in IE in 2011 - a number that's been gong down every year for the last five years.

If you only count zero-day vulnerabilities IE and Chrome were neck and neck at six each with four for Firefox. The question is not whether browsers have security issues - they all do - but how quickly and thoroughly they address them.

Taking the time to test

Those 'out of band' Flash updates in IE won't always be at exactly the same time as the update that comes from Adobe and as long as the delay is fairly short, that's not a bad thing.

It means Microsoft is taking the time to test and check the updates it gets from Adobe rather than just pushing them out straight away. Microsoft can presumably do a better job than Adobe at the specifics of testing updates for compatibility with the versions of Windows they're heading for. At the very least it's another check that the fix works. And taking time to double-check the updates and the way they integrate with IE10 will avoid the kind of problems Google had earlier in the year when it pushed out a security update to the version of Flash built into Chrome only to re-introduce a security bug that a previous update had fixed.

Why wasn't more of this sorted out earlier on? Originally Microsoft had said there wouldn't be any plug-ins in the WinRT version of IE10 or on Windows RT; while Flash integration was presumably always a fallback plan, it wasn't announced (or presumably decided on) until relatively recently. Perhaps Microsoft hoped more sites would switch to HTML5 video and audio or build WinRT apps to replace their Flash sites, just as they've had to find other ways of delivering content for iPhones and iPads.

Wither Flash

Flash has always been about doing things browsers haven't been able to do; it's easier for one company to develop and update proprietary code than to suggest, negotiate and co-ordinate a standard all the browsers can implement and then have them all implement it in compatible ways.

As HTML5 gets more capable, what Flash does now gets less important because the browser can do it

As HTML5 gets more capable, what Flash does now gets less important because the browser can do it. Some of what Flash is still better at (particularly for DRM) is going to get baked into applications based on the AIR runtime (for WinRT and iOS and pretty much every tablet and phone platform except the BlackBerry PlayBook, that means the necessary parts of the AIR runtime get included in each app, which makes them a little larger but gives developers flexibility).

On the desktop, where you can use Flash with any site, the plug-in isn't dying any time soon, but the performance and security issues of plug-ins in general and the fact that mobile browsing is becoming a larger and larger part of the market mean that Flash and all the other browser add-ons will eventually fade away. Of course, that just leaves us with all those apps to keep secure and up to date...

Editorial standards