News

Adobe Flash Player Security Patch Arrives from Microsoft

• By Kurt Mackie
• 02/22/2017

Microsoft this week released unannounced security updates for Adobe Flash Player in Windows.

Typically, Microsoft would have released these security updates last week with its general "update Tuesday" bundle. However, those February security updates were deferred till March, possibly because Microsoft had some kind of backend technical glitch happening.

The failure to release was the first such patch delay in nearly 10 years, but the deferral also meant that Microsoft was putting off its Adobe Flash Player fixes. Flash is considered to be a flagrant security target, so the deferral perhaps became awkward for some organizations. To ensure security, they may have considered blocking Flash for a month, for instance. Microsoft has regularly been distributing Flash security patches, like clockwork, ever since it started the practice with Windows 8.

No clue was offered about Microsoft's change of course. The Microsoft Security Response Center offered a tersely worded announcement today about the availability of the Flash patches. In addition, there's a security bulletin summary available for MS17-005 describing the Flash patches.

Microsoft eventually plans to replace its summary announcements with a new Security Updates Guide portal.The bulletin ID numbering scheme also will get dropped. That switch is supposed to happen sometime this month.

Microsoft's security bulletin summary indicated that the Flash patches are designed to address remote code execution vulnerabilities for some currently supported Windows systems. For instance, the bulletins are rated "Critical" for Windows client operating systems all the way back to Windows 8.1. They are rated "Moderate" for Windows Server 2012 but "Critical" for Windows Server 2016.

While the Flash security patches are now available, Microsoft possibly will be sticking with its previously stated plan to deliver its other February patches next month on March 14.

Zero-Day Flaw
Meanwhile, a problem with an older patch, discovered by a Google engineer, was publicly reported after passing a 90-day deadline for a fix. The problem concerns MS16-074, which fixed some flaws but still permits a "device independent bitmap" bug that could let attackers gain access to information, according to the Project-Zero description. In response to a question about this allegedly unresolved bug, a Microsoft spokesperson offered the following response, suggesting that a fix could arrive later:

Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices. Our standard policy is to provide solutions via our current Update Tuesday schedule.

"Redstone 3"?
In other news, Microsoft may be planning to release a second major Windows 10 update after the release of the coming Windows 10 "creators update." The creators update (code-named "Redstone 2") is expected to arrive this spring. Redstone 1, released in November, was the so-called "anniversary update."

The idea that there might be a second major Windows 10 release this year was reported in a Thurrott.com article this week. That notion is based on a screenshot taken from the Microsoft Ignite Australia event, which took place earlier this month. The screenshot, though, doesn't indicate the month when the second major update could arrive.

Of course, Microsoft has typically said that it plans two major Windows 10 update releases per year, along with monthly OS feature and security updates. The two major Windows 10 updates have been broadly described as happening in the summer and fall.