Feeds

Surprise! Microsoft patches latest IE10 Flash vulns on time

Issues fixes same day as Adobe's patch

Beginner's guide to SSL certificates

Microsoft surprised Windows 8 and Windows Server 2012 users on Monday by issuing a patch that fixes 25 security vulnerabilities found in the Adobe Flash Player component of Internet Explorer 10, mere hours after Adobe issued its own patch for the Flash Player plug-in used by other browsers.

Unlike earlier versions of Internet Explorer, IE10 bundles Flash Player as an integral part of the browser, much like how Google bundles Flash with Chrome. That means Adobe's patches, which are designed for the plug-in version of Flash, won't work on IE10. As with other IE10 security flaws, security fixes for IE10's Flash component can only come from Microsoft.

Redmond issued its first such patch in September, but only after weathering intense criticism from users over its poor response time. Initially, Microsoft had said that it did not intend to patch the flaws until after Windows 8's official launch on October 26. Even after it relented and provided a prerelease fix, Microsoft's patch for IE10 arrived more than a month after Adobe shipped its patch for other platforms.

In response to growing user concerns, Yunsun Wee, director of Microsoft's Trustworthy Computing group, issued a statement explaining that Microsoft planned to work closely with Adobe to develop patches for future Flash vulnerabilities and that the two companies would "coordinate on disclosure and release timing." But no one was really sure what that meant until now.

On Monday, Adobe issued a security bulletin disclosing 25 new vulnerabilities located in the Flash Player across all of it supported platforms, along with a patch that fixed those vulnerabilities on platforms that use the plug-in version of Flash.

Later that same day, Microsoft revised its own security advisory from September to include fixes for all of the problems identified in Adobe's bulletin, putting IE10 back on par with other platforms in terms of security with virtually no delay.

"We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe's update process," Wee wrote in a blog post.

Although Wee stopped short of saying that "aligned" meant users should expect all future IE10 Flash patches to arrive the same day Adobe issues them, Monday's action should go a long way to assuage fears that Microsoft's latest browser would perpetually lag behind the latest security fixes.

According to Wee, users of Windows 8 and Windows Server 2012 – the only platforms that currently can run IE10 – should receive the Flash patches automatically via Windows Update. Users who have disabled automatic updates should follow the instructions in the advisory to download and install the patches by hand. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.