It's unknown how Microsoft will handle updates for Flash after Windows 8 ships next month: The company has said nothing other than it will deliver Flash changes through its own Windows Update service.
In July, however, Microsoft announced it now had the capability to update IE each month if necessary, a break with a years-long tradition of patching the browser only in even-numbered months. The change may be a clue that Microsoft expects to update Flash in IE10 on Windows 8 frequently.
But even a monthly timetable could leave Windows 8 users vulnerable to Flash exploits for weeks unless Adobe or Microsoft, or both, change their update practices.
Microsoft has a monthly patching schedule, called Patch Tuesday, and has rarely gone outside that to issue emergency, or "out-of-band" updates. In the last two years, for instance, it has shipped just one out-of-band patch. Meanwhile, Adobe does not adhere to any set patching schedule for Flash Player.
If Windows 8 had been available from the start of 2012, and Adobe and Microsoft had not adjusted their update ship dates, users would have been vulnerable a total of 77 days through Sept. 11, or about 30% of the year, assuming Microsoft updated Flash on the first-available Patch Tuesday after Adobe released its fixes.
The longest delay of 2012's seven Flash updates would have been 27 days, when Adobe released Flash patches on Feb. 15, the day after Microsoft shipped the month's updates. The second-longest would have been the 21 days between Adobe's Aug. 21 update and next Tuesday's expected patches from Microsoft.
Storms said Microsoft has to do better than that.
"They have to meet the gold standard, which is Chrome," said Storms. "Given Microsoft's relationship with Adobe with respect to MAPP, one would think that Microsoft and Adobe would be in lockstep to deliver patches." Adobe joined the Microsoft Active Protections Program (MAPP) in 2010, through which it shares details on it latest bugs and patches with other security firms.
In this instance, at least, Microsoft is certainly not in step with Adobe.
"Using Windows Update to keep constantly buggy versions of Flash updated is a nice idea, but if you can't deliver in a timely fashion then it doesn't mean a whole lot," said "dicobalt" on Microsoft's support forum.
Until Microsoft patches Flash on IE10 in Windows 8, users can run a different browser -- Chrome or Mozilla's Firefox, for example -- that relies on the up-to-date Windows plug-in.
Sign up for Computerworld eNewsletters.