Microsoft to patch Windows 8 Flash bug before OS released

Microsoft plans to release a patch for a Flash vulnerability in Windows 8 soon, reversing a prior decision to wait until the operating system is generally available.

The reversal followed criticism in the media for waiting to patch a known vulnerability that Flash-creator Adobe had already fixed. In Windows 8, Microsoft has embedded Flash in Internet Explorer 10, taking responsibility for updating the browser when Adobe releases patches. Flash is among the top browser-based security risks.

In a statement emailed Tuesday, Microsoft said it was working with Adobe to develop a fix for IE10. "This update will be available shortly," the company said. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible."

Paul Henry, security and forensic analyst at Lumension, said releasing the patch before Windows 8 is on store shelves was a good precautionary move. "They're just getting ready to crank things up on that operating system and the last thing they want is to release it, have large adoption in the enterprise, and then be immediately hit with a problem due to a known third party issue," Henry said.

[How-to: 10 commandments of Windows security]

Another security expert bristled over Microsoft not giving an exact date for the patch release. "It's not very useful to say the patch will be out 'soon,'" said Andrew Storms, director of security operations at nCircle. "Soon could mean anything from next week to next quarter. It seems like this whole release was an unplanned after-thought; it takes me back to the bad old days when vendors didn't communicate clearly about security releases."

Microsoft said late last week that it would patch the Flash bug in IE10 when the operating system hits retail and when Windows 8-based PCs are in stores. That's set to happen Oct. 26.

Not patching beforehand meant Windows 8 would be vulnerable to attack immediately after it was generally available. In addition, systems currently running pre-release versions of the operating system were also at risk. Adobe had patched the Flash flaws in late August.

Microsoft had followed Google in embedding Flash in the browser. Both companies believed doing away with the need for a separate plug-in would be more convenient for users. Google has had Flash within Chrome for more than two years.

The flipside is Microsoft is now responsible for releasing patches at the same time as Adobe to avoid exposing customers to attack. On the security side, not having a plug-in means one less application to keep up to date.

"Overall, these bundling decisions are positive for security as they minimize the amount of updaters a single machine has to deal with," said Wolfgang Kandek, chief technology officer for Qualys. "I am confident that Microsoft will be releasing future security updates promptly as Windows 8 becomes a production operating system."

Meanwhile, Microsoft released on Tuesday two security updates as part of its regular monthly release of patches. The fixes were for Visual Studio Team Foundation Server and System Center Configuration Manager. The patches do not require a reboot of the operating system.

The small number of fixes left Storms wondering what was in store for next month, given the backlog of bugs known to many security experts.

"This does make you wonder what Microsoft has planned for the October patch," he said. "Did Microsoft choose to deliver an extremely small patch this month because they have a monster patch in final testing for next month?"

Read more about application security in CSOonline's Application Security section.

Show Comments