Adobe drags Google into Microsoft's Patch Tuesday

Adobe's decision to fix Flash on Patch Tuesday forces Google to update Chrome the same day

Google has been dragged into adopting rival Microsoft's Patch Tuesday, fallout from an Adobe move last month.

Earlier this week, Google updated its Chrome browser, quashing six bugs and as it often does, also updating Adobe's Flash Player. That same day, Microsoft shipped seven security updates to patch 12 vulnerabilities, and Adobe released a new version of Flash to address three critical bugs.

It was the Flash patches that triggered Chrome's copycat update: In November, Adobe announced it would synchronize Flash updates with long-time-partner Microsoft's Patch Tuesday. Most security experts applauded the decision, which they said was prompted by the bundling of Flash with Internet Explorer 10 (IE10) on Windows 8 and Windows RT.

Those same experts said Adobe's hand was probably forced by Microsoft, which had bumbled this fall when it failed to sync IE10 updates with those shipped by Adobe for Flash.

But because Google also bakes Flash Player into Chrome, Adobe's Patch Tuesday adoption also requires Google to ship updates the same day or put its users at risk.

Chrome has included Flash since April 2010, and is regularly updated whenever Adobe patches the popular media player.

Security professionals praised the three-vendor synchronization on the month's most important patch day.

"We already knew that Microsoft was the leader in security patch cadence, so for others to fall in line was inevitable," said Andrew Storms, director of security operations, in an instant message interview. "I suspect the more this happens, the more vendors will want to coordinate. It really is better for both them and customers if everyone knows a patch is imminent."

Jason Miller, manager of research and development at VMware, concurred. "It's good to see vendors coordinate like this," he said in an interview earlier this week.

But even more could be done.

"The biggest win [for users] is if all the vendors provided an advance notification so security teams could plan accordingly," he said. "Without proper notice, we are really in the same boat as before, where the surprise updates catch you off guard."

Adobe does not offer pre-patch notifications for Flash -- it does for Adobe Reader and Acrobat, however -- and neither does Google for Chrome.

Although Google patched Chrome on Tuesday -- and also on last month's Patch Tuesday of Nov. 13 -- it does not hew to a Patch Tuesday-only schedule, as Microsoft and Adobe do for all but emergency updates. Typically, Chrome is patched several times each month, on no set schedule. In the month between the last two Patch Tuesdays, for instance, Google updated Chrome twice.

The six Chrome patches Google provided Dec. 11 included three reported by independent researchers, who were awarded a total of $4,500 in bounty payments. So far this year, Google has paid more than $380,000 in Chrome bounties.

Chrome is automatically updated in the background each time Google patches the browser. The newest version can also be downloaded from Google's website for Windows, OS X and Linux.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecurityWindowssoftwareoperating systems

More about Adobe SystemsAndrew Corporation (Australia)AppleGoogleLinuxMicrosoftTopicVMware Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place