Microsoft later today will reverse a months-long practice in how Internet Explorer 10 (IE10) handles Adobe's Flash Player on Windows 8's and Windows RT's Modern user interfaces.
The change will be pushed to users along with the March slate of Patch Tuesday security updates at approximately 1 p.m. ET.
Rather than block all sites using Flash except those handpicked by Microsoft -- a "whitelist" strategy -- the company will revert to a "blacklist" that bars only some sites. All others with Flash will be rendered by the browser in Windows 8's Modern user interface (UI) -- still called "Metro" by many -- as well as Windows RT's Modern and desktop UIs.
That's another turn-about in Microsoft's mixed-message plan for Flash and IE10.
In September 2011, Microsoft said that IE10 on the Modern UI would be plug-in free, citing better security and battery performance for the move, reasons reminiscent of Apple's long-standing rejection of the popular media-playing software.
Then in late May 2012, Microsoft announced it had baked the Flash plug-in into IE10, following in the footsteps of Google, which first integrated Flash with Chrome in April 2010. At the same time, Microsoft announced the whitelist -- Microsoft dubbed it the Compatibility View (CV) list -- saying then that it would allow only those sites with "the best user experience" to appear in the Modern app version of IE10.
Yesterday, Microsoft essentially said, "Mission accomplished."
"The vast majority of sites with Flash content are now compatible with the Windows experience for touch, performance, and battery life," claimed Rob Mauceri, an IE group program manager, in a post to the browser's blog.
Analysts saw things a little different.
"From a strategic perspective this is not surprising," said Al Hilwa of IDC in an email. "iOS has said no to Flash, and iOS's competitors should embrace it because as the old saying goes, 'The enemy of my enemy is my friend.'"
Wes Miller, an analyst with Directions on Microsoft, agreed. "What's important is that those who were investing in [Windows] tablets weren't getting the best experience," Miller argued, referring to the often-confusing whitelist and abrupt blocking of sites, and Microsoft's push into mobile. "This is a win for the users who are the most important right now to Microsoft ... those [who are] tablet bound. It's one area where Windows RT and Windows 8 have a distinct advantage over iOS."
By opening up the vast majority of sites to showing Flash in IE10, Microsoft can contrast Windows with iOS, which as Hilwa noted, has strictly enforced a no-Flash policy. "From Microsoft's standpoint this is a great way to differentiate the PC as the primary device in a world, even as it makes bids for secondary devices and tablets in the long-run," said Hilwa.
But security experts were more mixed in their reaction to Microsoft doubling down on Flash.
Wolfgang Kandek, CTO of Qualys, saw it more as a response to a "does not work" feature than posing an increased security threat. "Not running Flash was not a security feature," Kandek said in a Monday interview via instant messaging.
Others, however, worried that by opening IE10 to most Flash-equipped sites, Microsoft risked exposing users to the raft of "zero-day," or unpatched, vulnerabilities regularly revealed in Adobe's software.
Adobe has patched Flash Player five times this year, including two last month that fixed zero-day flaws hackers were already exploiting.
"Microsoft is betting a lot on Flash if the Windows experience is so dependent on it," said Andrew Storms, director of security operations at nCircle. "One would hope that Microsoft's security team is working very closely with Adobe. Unfortunately, the historical accounts of syncing updates still leaves us with doubts."
Hilwa and Miller also pinned their hopes on close coordination between Microsoft's and Adobe's security groups. "Does Flash or any plug-in present more surface area for security attacks? Sure. But the integration between the browser team and Adobe should eventually make it as safe as [any] native features," said Hilwa.
Microsoft will continue to update Modern IE10's CV blacklist, the company confirmed.
IE10 on Windows 8's classic desktop, as well as IE10 on Windows 7 -- the latter launched just two weeks ago -- are unaffected by the new policy, as Microsoft never blocked those browsers from rendering Flash content.
The change will be delivered as part of today's Patch Tuesday, which will also include seven security updates for Windows, IE, Office and SharePoint.
