Microsoft surprised Windows 8 and Windows Server 2012 users on Monday by issuing a patch that fixes 25 security vulnerabilities found in the Adobe Flash Player component of Internet Explorer 10, mere hours after Adobe issued its own patch for the Flash Player plug-in used by other browsers.
Unlike earlier versions of Internet Explorer, IE10 bundles Flash Player as an integral part of the browser, much like how Google bundles Flash with Chrome. That means Adobe's patches, which are designed for the plug-in version of Flash, won't work on IE10. As with other IE10 security flaws, security fixes for IE10's Flash component can only come from Microsoft.
Redmond issued its first such patch in September, but only after weathering intense criticism from users over its poor response time. Initially, Microsoft had said that it did not intend to patch the flaws until after Windows 8's official launch on October 26. Even after it relented and provided a prerelease fix, Microsoft's patch for IE10 arrived more than a month after Adobe shipped its patch for other platforms.
In response to growing user concerns, Yunsun Wee, director of Microsoft's Trustworthy Computing group, issued a statement explaining that Microsoft planned to work closely with Adobe to develop patches for future Flash vulnerabilities and that the two companies would "coordinate on disclosure and release timing." But no one was really sure what that meant until now.
On Monday, Adobe issued a security bulletin disclosing 25 new vulnerabilities located in the Flash Player across all of it supported platforms, along with a patch that fixed those vulnerabilities on platforms that use the plug-in version of Flash.
Later that same day, Microsoft revised its own security advisory from September to include fixes for all of the problems identified in Adobe's bulletin, putting IE10 back on par with other platforms in terms of security with virtually no delay.
"We remain committed to taking the appropriate actions to help protect customers and will continue to work closely with Adobe to deliver quality protections that are aligned with Adobe's update process," Wee wrote in a blog post.
Although Wee stopped short of saying that "aligned" meant users should expect all future IE10 Flash patches to arrive the same day Adobe issues them, Monday's action should go a long way to assuage fears that Microsoft's latest browser would perpetually lag behind the latest security fixes.
According to Wee, users of Windows 8 and Windows Server 2012 – the only platforms that currently can run IE10 – should receive the Flash patches automatically via Windows Update. Users who have disabled automatic updates should follow the instructions in the advisory to download and install the patches by hand. ®