09 Oct 2012

Microsoft Rushes IE 10 Flash Bug in No Time


Microsoft released a patch for 25 security vulnerabilities in the Adobe Flash Player component of Internet Explorer 10 right after Adobe issued its own fix for the flaws in the Flash Player plug-in.

Windows 8 and Windows Server 2012 users who haven’t disabled automatic update will receive the Flash patch automatically in a Windows Update while the others need to follow the instructions in the Microsoft Security Advisory to manually download and install the patch.

Even though the Redmond-based company initially announced it will release patches only after the official launch of Windows 8, Microsoft changed its mind and chose to work hand in hand with Adobe and "coordinate on disclosure and release timing" for all future security issues concerning Flash Player.

Since the Adobe fix doesn’t work for the Flash component in IE 10, Microsoft needed to release its own dedicated patch to address the Flash Player vulnerabilities for its customers. And that is why, shortly after Adobe issued a security patch for 25 new vulnerabilities in the Flash Player in all its supported platforms and a patch for the vulnerabilities on platforms using Flash plug-in, Microsoft reviewed its own security advisory from September including fixes for all of the problems identified in Adobe's bulletin.

This way, IE10 users received the security update almost the same time with people using older versions of IE or other platforms that support Flash Player.

"Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process," Yunsun Wee, director of Microsoft's Trustworthy Computing group, explained in a blog post on technet.com.

Zero-day exploitation against the browser or browser components such as plugins is extremely difficult to block in the absence of a vendor-issued path. Installing a security solution can dramatically help the user dodge attacks until a patch is made available.