So much for Microsoft's 'transparency' on security updates

Microsoft said it's fixing IE10/Flash interaction, but remains mum on documentation and impact on Metro IE10 updates

Last week Microsoft promised a big change in the way Internet Explorer 10 reacts to Flash -- moving from a whitelist to a blacklist -- and said the fix would roll out last Tuesday. An official IEBlog post gave users less than one day's notice the change was coming. Although it wasn't clear from the post, many figured the Flash flip-flop would be rolled into one of Microsoft's Black Tuesday patches.

But none of the security bulletins last Tuesday mentioned the change to Flash, nor do any KnowlegeBase articles. MS13-021/KB 2809289, Tuesday's big Internet Explorer patch roll-up, doesn't mention Flash even once. The Security Advisory about Flash for Windows 8, SA 2755801, was updated last Tuesday but it doesn't mention the IE10 about-face either.

It gets stranger. That IEBlog post explains how the behavior of IE10 in Windows 8 will change, both on the old-fashioned desktop and in the new Immersive/Windows Store/Metro version of IE10. One might assume that Microsoft would change Metro IE10 at the same time it changes legacy IE10. According to a new Security Response Center post, Microsoft is going to start updating Metro apps through the Windows Store -- and it promises to document those changes. Here's what MSRC Senior Director Mike Reavey says:

We are committed to adapting our policies as the world evolves and with the new Windows Store, we evaluated how to best release security updates for Windows Store apps. Our goal is to have a quick, transparent and painless security update process. With this in mind, we will deliver high quality security updates for Windows Store apps as they become available. This applies to Microsoft apps that are installed using the Windows Store and to apps like Mail, which are preinstalled with Windows 8 but updated using the Windows Store. Providing security updates to these apps more frequently will allow us to add new functionality, fix issues and improve security. This will also help developers to avoid introducing new issues during the update process.

To ensure transparency, we will document all security updates for Microsoft apps in the Windows Store in a security advisory, which we will revise with each new security update release. The security update process itself will be identical to that of any other Windows Store app update--customers will simply click on the store tile and select the update.

Is it possible to change Metro IE's behavior by just patching the desktop version of IE10? I don't know, and Microsoft has never said. Whether the bits on the Windows RT side of the fence get changed or not, certainly this major change in Metro IE's behavior warrants some sort of footnote in a Metro IE10 patch log.

Reavey says Microsoft "will document all security updates for Microsoft apps in the Windows Store in a security advisory, which we will revise with each new security update release." This is the first (disclosed) security update for a Metro app issued after the change in policy, so where's the Windows Store update? Where's the Security Advisory? A patch log?

Is this newfound transparency for real or just a publicity gimmick by Microsoft?

I'm waiting for the first botched Metro patch to come out of the new Windows Store automatic update chute. Since it's impossible to roll back Metro app changes -- indeed, at this point we aren't even advised of the changes or given an explanation for them, and we don't have a change log -- Microsoft's going to be under a lot of pressure to only release good patches on the Metro side. Given the company's track record, including a blue screen-inducing botched patch last month, I'm not holding my breath.

Thanks to SB for the heads-up.

This story, "So much for Microsoft's 'transparency' on security updates," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform