would not patch a Flash exploit in its forthcoming Internet Explorer 10 (IE 10) until after Windows 8 ships on October 26, has changed its tune. On Tuesday, the company stated that the security hole will be addressed before the new OS and browser reach consumers.
Flash vulnerabilities have been tied to high-profile zero-day attacks. Following the tactic Google adopted several years ago with Chrome, Microsoft announced earlier this year that it will bundle Adobe's Flash Player directly into IE 10, rather than allowing it run as a normal plug-in. By embedding the capability, Microsoft said it has not only optimized Flash execution for Windows 8 but also made security "more convenient" by reducing the number of individual updates customers must install to thwart threats.
Larry Ponemon--who founded and chairs the Ponemon Institute, an information security think tank--said in a phone interview that Microsoft must have found "something on the security side that wasn't part of their calculus when they decided to wait," noting that the Redmond-based computing giant is a "smart business" that usually doesn't make decisions based on momentary criticisms from the blogosphere.
[ For more on Microsoft's IE privacy efforts, see Microsoft IE 10 Makes 'Do Not Track' Default. ]
Ponemon declared that attacks characteristic of the exploit usually pursue "surgical" targets, such as emails or confidential information, but that "malware on steroids" has also become a problem. These malicious programs, he stated, use Flash to find a way into a user's system, and then morph into something else, such as a botnet that can launch denial-of-service attacks.
Gartner VP Dan Blum said in a phone interview that IE is a complex product and that "any changes to it require relatively more work than… Chrome, which is a smaller product." With Windows 8 imminent, he said Microsoft will have a natural desire to freeze products as much as possible in order to avoid retesting or shipping delays.
He remarked that he is glad the IE 10 bug will be fixed, as shipping a product with a "known security hole is not good." He stated that early-adopting consumers, to say nothing of people who have been using vulnerable beta versions of the refreshed OS and browser, would have been at risk because the IE 10 bug is "already weaponized." Still, had Microsoft waited, Blum said, the consequences would have been difficult to predict. "It wouldn't have helped," he said but he hesitated to say Flash problems could have tarnished the Windows 8 release. The new products' introduction into mission-critical operations "is going to be kind of slow anyway," he said, because "clients are amortizing their Windows 7 investment."
Steven Santorelli directs global outreach for Team Cymru, a non-profit security research firm, and previously worked for both Scotland Yard's Computer Crime Unit and, later, Microsoft. He wrote in an email that patching the vulnerability is a huge effort: "The amount of cross-platform testing … is mind-boggling and pushing out a patch out of sequence is hugely expensive" because of the resources that have to be reallocated from other projects. Like Ponemon, he suspected that new information prompted what is in effect an emergency update. He applauded Microsoft's proactive turn, writing, "If every vendor patched that way, there'd be far fewer unpatched vulnerabilities out there."
Projecting how Windows 8 will fare, Blum said additional vulnerabilities are going to be discovered but that Microsoft could ultimately be perceived as "a more secure tablet solution than Android because Microsoft has relationships with security vendors and consistency and control that Google doesn't really have."
Ponemon, meanwhile, said Flash bundling, despite this initial hiccup, should produce a more secure environment. He added, "Everybody is waiting to see [what Windows 8 offers]. Nothing's perfect in terms of security."
Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)