Tuesday, Microsoft pushed out a patch to Windows XP, 98, and Millennium users for Flash Player, an Adobe-owned multimedia application that's bundled with those operating systems. It was the first time that the Redmond, Wash. developer had issued an update for a non-Microsoft product using its Windows Update service.
A Microsoft spokesman explained the decision Tuesday afternoon by saying that "Flash Player is a third-party technology that is redistributed by Microsoft in certain versions of Windows, therefore some Microsoft customers may be at risk.
"Microsoft is committed to protecting our customers from security threats and so has worked closely with Adobe to develop, test, and release security updates that help protect our mutual customers from these security vulnerabilities," he continued.
When asked Wednesday whether the Flash update was a one-time event or the beginning of a long-term practice, the spokesman's answer was oblique.
"I think Chris Andrew had it right when you quoted him as saying, 'Third-party vulnerabilities, when those third-party products are bundled with Windows, must be patched just as if they were Windows bugs,'" the spokesman added Wednesday.
Andrew, vice president of security technologies at patch and vulnerability management maker PatchLink, commented in a TechWeb story Tuesday about the three security bulletins Microsoft released, including MS06-020, the one which updates Flash Player.
"Is this a move to take more accountability of bundled, partnered products in Windows?" asked Mike Murray, director of research at vulnerability management vendor nCircle, in that same story Tuesday. "If so, that would be huge, a phenomenal step for Microsoft, to essentially 'own' security at any level that touches the Microsoft OS."