Microsoft to Patch Adobe Flash Player in Windows 8 'Shortly'

Microsoft said it will update Adobe Flash Player to close security holes before Windows 8 is generally available. In Windows 8, Flash is embedded in Internet Explorer 10.

Microsoft is working with Adobe Systems to patch vulnerabilities in Adobe Flash Player affecting Windows 8, apparently changing course and choosing to push out a fix before the operating system hits stores next month.

In Windows 8, Microsoft has opted to embed Flash Player in Internet Explorer 10 (IE 10). Last week, the company said publicly that it would wait until Windows 8 was generally available before patching Flash Player with the latest updates issued last month by Adobe.

However, in a statement Sept. 13, a Microsoft spokesperson told eWEEK that the company is working with Adobe to release an update for Flash in IE 10 that will be available shortly. Since Flash Player is embedded in IE 10, Microsoft will be responsible for patching it for Windows 8 users.

"Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe's as possible," the spokesperson said in a statement.

Wolfgang Kandek, CTO at Qualys, said the decision to embed Flash Player into IE 10 is the right thing to do, noting that integrating Flash into IE and taking the responsibility for rolling out patches will improve end-user security. Hopefully, the decision will pave the way for other third-party programs to be patched through the Microsoft updater, he said.

"When we look at statistics from our BrowserCheck application we constantly see that 3rd party applications (i.e. Flash, Java, Reader) are slower in updating than Windows native application (i.e. Windows Media Player)," he said in an email. "We attribute that to the lack of automatic update mechanisms in some older applications, plus usability and integration issues with the multiple update mechanisms that a typical PC user has to deal with."

Such flaws are often targeted by users of exploit kits such as Black Hole, which recently was updated by its creator to include new features designed to thwart efforts by security researchers.

Lamar Bailey, director of security research and development at nCircle, said shipping a product with known security flaws is bad practice, and requiring a patch installation immediately after installing a new OS is no better.

"Since Microsoft decided to follow the Google Chrome model of embedding Flash within browser, they're tied to Adobe now for better or worse," he said in an email. "Flash has been plagued with security issues for a long time, and embedding Flash means that IE10 end users will have to wait for Microsoft to patch Flash issues."

"How this will work out in the long run is anyone's guess," he said. "Will Adobe release security information to Microsoft early enough to get Flash patches to Windows 8 users at the same time they hit the rest of the market? Will Adobe delay patches for everyone to sync up with Microsoft?"