September 12, 2012
First Flash Patch for Windows 8 to Arrive Sooner Rather Than Later
Michael Harper for redOrbit.com — Your Universe Online
Though October 26th is several weeks away, many have already begun to use Windows 8, Microsoft´s latest desktop and tablet operating system, ahead of its official public release. As is always the case in the techno-sphere, early adopters, though often respected by their peers, are also usually the group to bear the burden of bugs and glitches.
For instance, when Microsoft built Internet Explorer 10 into Windows 8, they bundled the desktop version of the browser together with a Flash plug-in. It was discovered last week, however, that the version of Flash that ships with IE 10 is out of date. Though Microsoft headquarters first claimed that they wouldn´t be shipping an update to this Flash player until the official launch of Windows 8, leaving these early adopters vulnerable for several weeks, ZDNet is now reporting that Microsoft has changed their tune and will be issuing an update “shortly.”
In an emailed statement to Ed Bott at ZDNet, Microsoft´s Director of Trustworthy Computing Yunsun Wee said, “In light of Adobe´s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers. This update will be available shortly. Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe´s as possible.”
Though Microsoft could make this situation right “shortly,” there remains a question about how these Flash updates will be rolled out in the future.
As pointed out by Ars Technica, Adobe and Microsoft already have scheduled days on which they traditionally release patches to their software. The problem is that these days do not line up.
Adobe traditionally ships their patches on the third or fourth Tuesday of each month, while Microsoft ships their software updates on the second Tuesday of each month. Going forward, this means that Internet Explorer users could be left wide open and vulnerable to exploits for up to 2 weeks at a time, presenting a very predictable window of opportunity for cyber ne´erdowells.
"You would have thought that Microsoft would have had this all planned out previously," said Andrew Storms, director of security operations at nCircle Security. Speaking with Gregg Keizer of Computerworld, Storms later said, "Now, it's like an afterthought."
"It's almost as if it was an entirely different team from the security group that made this — or forgot — this arrangement.”
Of course, Adobe could simply give Microsoft an advance on their Flash patches, giving Redmond the ability to bundle these patches in their updates which precede Adobe´s by as much as 2 weeks. On the other hand, Adobe could also release one patch to all the major browsers–Chrome, Firefox, Safari or otherwise– at the same time, giving all Flash users the same level of protection.
It´s worth mentioning that Google´s Chrome browser also ships with a built-in version of Flash much like Internet Explorer. To their credit, Chrome has never had an issue with keeping Flash up-to-date. In fact, they´ve even been ahead of the Flash curve on a few occasions. If Chrome can do it, perhaps Microsoft should be able to as well?