Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Adobe, now 'married' to Microsoft, moves Flash updates to Patch Tuesday

Gregg Keizer | Nov. 8, 2012
Adobe on Tuesday announced that it will pair future security updates for its popular Flash Player with Microsoft's Patch Tuesday schedule.

Storms agreed. "In a few months, the Flash update will just be a regular part of the Patch Tuesday cycle," he predicted. "The move is going to force Adobe to get into a regular cycle with repeatable processes that their end users will come to recognize and appreciate."

Adobe spokeswoman Wieke Lips said her firm had "discussed both internally and coordinated with Microsoft" the move to Patch Tuesday.

Storms and Kandek suspected that Adobe's hand was forced -- whether of its own volition or at the urging of Microsoft -- when the latter decided to bundle Flash with IE10.

"The new Adobe timing is to accommodate the typical Patch Tuesday release schedule for Windows, which enterprise customers depend upon," Kandek said.

What was a surprise, Storms said, was that it took this long for Microsoft and Adobe to sync security releases, particularly after the backpedaling by Microsoft in September. "That was a clear sign that despite the executive decision to put Flash in IE10, nobody considered the ramifications," Storms said. "Sadly, the people left holding the bag were Microsoft users on their brand new Windows 8 platform."

In hindsight, Storms was right: If there was one company destined to ride Patch Tuesday's coattails, it was Adobe, which has adopted Microsoft's security coding practices and used some of its anti-exploit "sandboxing" technologies in its Reader and Flash.

Microsoft declined to answer questions about Adobe's decision, including whether Microsoft had pressed its partner to make the call. Instead, the company issued a statement attributed to Dave Forstrom, a director in the firm's Trustworthy Computing group, that said, "Our customers tell us that they strongly prefer a predictable cadence of security-update releases, and we aim to honor that preference."

While Adobe characterized the decision as one of convenience and predictability for users rather than a security improvement, Kandek saw it slightly different.

"Releasing scheduled Adobe Flash updates any other time would force Microsoft to make their IE10 updates out-of-band, as they would want to maintain a close interval between Flash release and IE10 release," Kandek said.

If Microsoft was unwilling or unable to ship emergency updates for IE10, Windows 8 and Windows RT users would be vulnerable to quick-strike Flash exploits, potentially for weeks.

Adobe's Tuesday update patched seven vulnerabilities, all which could be used by hackers to hijack Windows PCs, Macs and machines running Linux. Engineers in Google's security team, as they often do, reported the seven to Adobe.

Microsoft updated IE10 on Windows 8 and Windows RT on Tuesday, making it the second time in a row that the company shipped patches the same day Adobe refreshed Flash.

Google, which has been bundling Flash with its Chrome browser for over two years, also updated its browser to include the patched version of the media player.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.