Adobe Flash patch out of band – Patch Thursday?

Flash logo

Adobe has just released another critical fix for its ubiquitous Flash and Air software. According to the bulletin it addresses two different flaws.

CVE-2010-0186 is a cross-domain scripting vulnerability that could result in cross-site attacks on browser information. CVE-2010-0187 is also addressed, yet it is a less dangerous flaw resulting in a denial of service.

Adobe seems to be having issues with their ability to predictably release patches. Last summer the company committed to releasing once per quarter on the second Tuesday of the month. This coincides with every 3 Microsoft “Patch Tuesday”. The next scheduled patch from Adobe would have been March 9th, yet today’s release is neither a Tuesday nor March.

A vulnerability in Flash disclosed to Adobe 18 months ago has still not been patched, and was not part of today’s release. The product manager for Flash, Emmy Huang, apologized on her blog last week and explained the corrective actions Adobe is taking.

As I have blogged before, Adobe patches should likely be on a shorter duration than the promised 12 week schedule.

A company as large as Adobe must understand the constraints IT managers have to deal with like change controls. Predictability is essential to planning software roll outs and patch cycles. I am sure many administrators were surprised by today’s patch, and many more have no idea it is even available.

Make sure you get those Flash players patched, as it is only a matter of time before our adversaries begin to exploit them on the wide open web. You can get the latest flash player from and Adobe Air from