Microsoft has now updated Flash on Windows 8 to protect IE10 users from attacks that may have started months ago.
More than a week before, Microsoft had backed away from an earlier position that held it would not patch Flash until late October. Instead, the company promised to update the media player “shortly.”
Microsoft, not Adobe, is responsible for patching Flash Player in Windows 8 because the company mimicked Google’s Chrome by building the software into IE10, the new operating system’s browser. Microsoft announced that move in late May, when its top IE executive, Dean Hachamovitch, said, “By updating Flash through Windows Update, like IE, we make security more convenient for customers.”
But the Redmond, Wash. developer ran into trouble from the get-go. Although Adobe shipped a pair of security updates in August that patched eight vulnerabilities, Windows 8 RTM, the finished code that began reaching users that same month, lacked those fixes.
One of the eight Flash bugs has been exploited by hackers, perhaps for months. An elite hacker gang known for finding and leveraging unpatched vulnerabilities has been among those hijacking Windows PCs with the flaw.
Friday’s Flash update will be offered to Windows 8 RTM, and to the final public beta, Windows 8 Release Preview. That sneak peak, which users downloaded free of charge, does not expire until Jan. 31, 2013.
Computerworld confirmed that the update boosted IE10’s Flash Player to version 11.3.374.7 on Windows 8 RTM. On Friday, Adobe confirmed that that edition contained the patches for the eight vulnerabilities it patched Aug. 14 and Aug. 21.
Yunsun Wee, director of Microsoft’s Trustworthy Computing team, also clarified how the company will treat future Flash updates for IE10 in Windows 8.
“On a quarterly basis when Adobe normally issues Flash Player updates, we will coordinate on disclosure and release timing,” pledged Wee.
Her reference to an Adobe quarterly Flash schedule was odd; although Adobe tries to adhere to a regular cadence for Adobe Reader — not always successfully — it has never set something similar for Flash Player.
Thus far during 2012, in fact, Adobe has issued seven Flash updates: One in February; two in March; one each in May and June; and two in August. If Adobe is adopting a quarterly patch process for Flash Player, it has kept that under wraps.
Wee also admitted that Microsoft will need to deliver “out-of-band” updates — those outside its usual monthly Patch Tuesday — to keep IE10’s and Windows 8’s Flash in sync with the Flash plug-ins Adobe maintains for other browsers.
“When the threat landscape requires action outside of Adobe’s normal update cadence, we will issue updates outside of our regular monthly security bulletin release,” Wee said in a Friday post to the Microsoft Security Response Centre’s blog.
Those out-of-band Flash updates could quickly pile up. If Windows 8 had been available from the start of 2012, in the best circumstances Microsoft would still have had to deliver emergency Flash updates in February, March and August.
Even then, Microsoft would have had to hustle to work the other four Flash updates into its next Patch Tuesday: In one instance, Flash was updated on Patch Tuesday, while in two others, Microsoft would have had just four days to prepare. The fourth Flash update was released eight days before the next Patch Tuesday.
More information on the Flash Update to IE10 and Windows 8 can be found in Microsoft’s security advisory.
Windows 8 users can obtain the Flash update via the Windows Update service, as well as through the enterprise-grade WSUS (Windows Server Update Services).
Microsoft’s made good on a Sept. 11 promise to patch Windows 8’s baked-in Flash Player.