Feeds

Surprise! Microsoft patches latest IE10 Flash vulns on time

Issues fixes same day as Adobe's patch

SANS - Survey on application security programs

Microsoft surprised Windows 8 and Windows Server 2012 users on Monday by issuing a patch that fixes 25 security vulnerabilities found in the Adobe Flash Player component of Internet Explorer 10, mere hours after Adobe issued its own patch for the Flash Player plug-in used by other browsers.

Unlike earlier versions of Internet Explorer, IE10 bundles Flash Player as an integral part of the browser, much like how Google bundles Flash with Chrome. That means Adobe's patches, which are designed for the plug-in version of Flash, won't work on IE10. As with other IE10 security flaws, security fixes for IE10's Flash component can only come from Microsoft.

Redmond issued its first such patch in September, but only after weathering intense criticism from users over its poor response time. Initially, Microsoft had said that it did not intend to patch the flaws until after Windows 8's official launch on October 26. Even after it relented and provided a prerelease fix, Microsoft's patch for IE10 arrived more than a month after Adobe shipped its patch for other platforms.

In response to growing user concerns, Yunsun Wee, director of Microsoft's Trustworthy Computing group, issued a statement explaining that Microsoft planned to work closely with Adobe to develop patches for future Flash vulnerabilities and that the two companies would "coordinate on disclosure and release timing." But no one was really sure what that meant until now.

On Monday, Adobe issued a security bulletin disclosing 25 new vulnerabilities located in the Flash Player across all of it supported platforms, along with a patch that fixed those vulnerabilities on platforms that use the plug-in version of Flash.

Later that same day, Microsoft revised its own security advisory from September to include fixes for all of the problems identified in Adobe's bulletin, putting IE10 back on par with other platforms in terms of security with virtually no delay.

"We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe's update process," Wee wrote in a blog post.

Although Wee stopped short of saying that "aligned" meant users should expect all future IE10 Flash patches to arrive the same day Adobe issues them, Monday's action should go a long way to assuage fears that Microsoft's latest browser would perpetually lag behind the latest security fixes.

According to Wee, users of Windows 8 and Windows Server 2012 – the only platforms that currently can run IE10 – should receive the Flash patches automatically via Windows Update. Users who have disabled automatic updates should follow the instructions in the advisory to download and install the patches by hand. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.