Microsoft to patch Windows 8 Flash bug before OS released

Microsoft plans to release a patch for a Flash vulnerability in Windows 8 soon, reversing a prior decision to wait until the operating system is generally available.

The reversal followed criticism in the media for waiting to patch a known vulnerability that Flash-creator Adobe had already fixed. In Windows 8, Microsoft has embedded Flash in Internet Explorer 10, taking responsibility for updating the browser when Adobe releases patches. Flash is among the top browser-based security risks.

In a statement emailed Tuesday, Microsoft said it was working with Adobe to develop a fix for IE10. "This update will be available shortly," the company said. "Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible."

Paul Henry, security and forensic analyst at Lumension, said releasing the patch before Windows 8 is on store shelves was a good precautionary move. "They're just getting ready to crank things up on that operating system and the last thing they want is to release it, have large adoption in the enterprise, and then be immediately hit with a problem due to a known third party issue," Henry said.

[How-to: 10 commandments of Windows security]

Another security expert bristled over Microsoft not giving an exact date for the patch release. "It's not very useful to say the patch will be out 'soon,'" said Andrew Storms, director of security operations at nCircle. "Soon could mean anything from next week to next quarter. It seems like this whole release was an unplanned after-thought; it takes me back to the bad old days when vendors didn't communicate clearly about security releases."

Microsoft said late last week that it would patch the Flash bug in IE10 when the operating system hits retail and when Windows 8-based PCs are in stores. That's set to happen Oct. 26.

Not patching beforehand meant Windows 8 would be vulnerable to attack immediately after it was generally available. In addition, systems currently running pre-release versions of the operating system were also at risk. Adobe had patched the Flash flaws in late August.

Microsoft had followed Google in embedding Flash in the browser. Both companies believed doing away with the need for a separate plug-in would be more convenient for users. Google has had Flash within Chrome for more than two years.

The flipside is Microsoft is now responsible for releasing patches at the same time as Adobe to avoid exposing customers to attack. On the security side, not having a plug-in means one less application to keep up to date.

"Overall, these bundling decisions are positive for security as they minimize the amount of updaters a single machine has to deal with," said Wolfgang Kandek, chief technology officer for Qualys. "I am confident that Microsoft will be releasing future security updates promptly as Windows 8 becomes a production operating system."

Meanwhile, Microsoft released on Tuesday two security updates as part of its regular monthly release of patches. The fixes were for Visual Studio Team Foundation Server and System Center Configuration Manager. The patches do not require a reboot of the operating system.

The small number of fixes left Storms wondering what was in store for next month, given the backlog of bugs known to many security experts.

"This does make you wonder what Microsoft has planned for the October patch," he said. "Did Microsoft choose to deliver an extremely small patch this month because they have a monster patch in final testing for next month?"

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place