Microsoft Updating IE10 Flash in Windows 8 a “Good Move”

Microsoft has reversed its earlier stance and promised an update to Flash for Windows 8 users “shortly.”

Last month, Adobe patched two serious vulnerabilities in its Flash Player for Windows. Since Flash Player is built in to Windows 8 much like the way Google decided to integrate the technology into its Chrome Web browser, the ball was in Microsoft’s court to fix the issues. However, Microsoft originally said that Windows 8’s official launch date was Oct. 26, and there were no plans to update the software until after launch.

This meant users who had already downloaded and installed the Windows 8 preview was vulnerable to attack. Microsoft appears to have reconsidered its decision on Tuesday.

“In light of Adobe’s recently released security updates for its Flash Player, Microsoft is working closely with Adobe to release an update for Adobe Flash in IE10 to protect our mutual customers,” Yunsun Wee, director of the Trustworthy Computing Group, said in an emailed statement. Wee did not commit to a timeline, just saying it would be available “shortly.”

Paul Henry, a security and forensic analyst at Lumension, told SecurityWeek that Microsoft’s reversing its earlier decision was “a good move.” Henry said Microsoft likely didn’t want to release the operating system and then immediately have to deal with users being affected by a known third-party issue.

“Kudos to Microsoft for rolling out a patch for a product that really has no adoption yet,” Henry said.

For the most part, users currently running Windows 8 are either early adopters or volume license customers using the operating system for testing and deployment purposes. The release to manufacturing (RTM) version of Windows 8 was released last month.

“You have to respect Microsoft quickly rolling this out while other vendors, like Apple, do nothing,” Henry said, referring to the fact that some Java vulnerabilities are still unpatched in some versions of Mac OS X. Apple users are “under the mistaken assumption” that the patch fixed both Java vulnerabilities, instead of just one, Henry added.

It’s not clear at this time if Microsoft and Adobe will be shifting their current update schedules in order to release patches closer together. Google currently pushes out its updates a day before Adobe, who usually has scheduled Flash updates on the third Tuesday of the month. Microsoft’s Patch Tuesday falls on the second Tuesday.

“Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible,” Wee said.