Adobe to fix Flash Player on Patch Tuesdays

  • Gregg Keizer (Computerworld (US))
  • — 19 November, 2012 11:09

Adobe has changed its schedule for releasing Flash Player security updates to coincide with Microsoft's Patch Tuesday schedule.

"Microsoft and Adobe are now officially married," joked Andrew Storms, director of security operations at nCircle Security, a software vendor, in an email. "They started dating when they decided to share the MAPP program," and once Microsoft agreed to embed Flash into Internet Explorer 10, it was "inevitable" that Adobe would begin following Microsoft's patch schedule, he said.

Under MAPP, or the Microsoft Active Protections Program, Microsoft provides select security vendors with prepatch information to give them time to craft detection signatures for new exploits or malware.

In July 2010, Adobe began using MAPP to deliver vulnerability information about its own products to security firms. Microsoft issues its security updates on the second Tuesday of each month. Until now, Adobe has released Flash bug fixes at irregular intervals.

The lack of synchronization became an issue after Microsoft announced it would bake Flash Player into IE10 for Windows 8 and its tablet spin-off, Windows RT. Problems surfaced in September when Microsoft said it would not patch IE10 for at least six weeks, even though Adobe had issued updates the previous month that addressed at least one vulnerability that hackers were already exploiting.

Microsoft later recanted and issued an update to IE10. It then issued another in October, on the same day Adobe shipped its Flash fixes. Some criticized Microsoft for breaking its schedule and confusing customers.

Now, however, some security professionals are praising Adobe's change. "Concentrating updates on a single day is a benefit for any organization," said Wolfgang Kandek, CTO of security vendor Qualys, in an email. "[The new schedule] should streamline rollouts and get Flash updates [installed] more widely."

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Tags: Cybercrime and Hacking, security, Microsoft, Malware and Vulnerabilities

Confirmed: hackers can use Heartbleed to steal private SSL keys

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Business Risk Management Solutions

Create and deliver online assessments to identify business risks and track their mitigation and resolution.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.