Feeds

Surprise! Microsoft patches latest IE10 Flash vulns on time

Issues fixes same day as Adobe's patch

Using blade systems to cut costs and sharpen efficiencies

Microsoft surprised Windows 8 and Windows Server 2012 users on Monday by issuing a patch that fixes 25 security vulnerabilities found in the Adobe Flash Player component of Internet Explorer 10, mere hours after Adobe issued its own patch for the Flash Player plug-in used by other browsers.

Unlike earlier versions of Internet Explorer, IE10 bundles Flash Player as an integral part of the browser, much like how Google bundles Flash with Chrome. That means Adobe's patches, which are designed for the plug-in version of Flash, won't work on IE10. As with other IE10 security flaws, security fixes for IE10's Flash component can only come from Microsoft.

Redmond issued its first such patch in September, but only after weathering intense criticism from users over its poor response time. Initially, Microsoft had said that it did not intend to patch the flaws until after Windows 8's official launch on October 26. Even after it relented and provided a prerelease fix, Microsoft's patch for IE10 arrived more than a month after Adobe shipped its patch for other platforms.

In response to growing user concerns, Yunsun Wee, director of Microsoft's Trustworthy Computing group, issued a statement explaining that Microsoft planned to work closely with Adobe to develop patches for future Flash vulnerabilities and that the two companies would "coordinate on disclosure and release timing." But no one was really sure what that meant until now.

On Monday, Adobe issued a security bulletin disclosing 25 new vulnerabilities located in the Flash Player across all of it supported platforms, along with a patch that fixed those vulnerabilities on platforms that use the plug-in version of Flash.

Later that same day, Microsoft revised its own security advisory from September to include fixes for all of the problems identified in Adobe's bulletin, putting IE10 back on par with other platforms in terms of security with virtually no delay.

"We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe's update process," Wee wrote in a blog post.

Although Wee stopped short of saying that "aligned" meant users should expect all future IE10 Flash patches to arrive the same day Adobe issues them, Monday's action should go a long way to assuage fears that Microsoft's latest browser would perpetually lag behind the latest security fixes.

According to Wee, users of Windows 8 and Windows Server 2012 – the only platforms that currently can run IE10 – should receive the Flash patches automatically via Windows Update. Users who have disabled automatic updates should follow the instructions in the advisory to download and install the patches by hand. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.