If Windows 8 had been available from the start of 2012, and Adobe and Microsoft had not adjusted their update ship dates, users would have been vulnerable a total of 77 days through Sept. 11, or about 30% of the year, assuming Microsoft updated Flash on the first-available Patch Tuesday after Adobe released its fixes.

The longest delay of 2012's seven Flash updates would have been 27 days, when Adobe released Flash patches on Feb. 15, the day after Microsoft shipped the month's updates. The second-longest would have been the 21 days between Adobe's Aug. 21 update and next Tuesday's expected patches from Microsoft.

Storms said Microsoft has to do better than that.

"They have to meet the gold standard, which is Chrome," said Storms. "Given Microsoft's relationship with Adobe with respect to MAPP, one would think that Microsoft and Adobe would be in lockstep to deliver patches." Adobe joined the Microsoft Active Protections Program (MAPP) in 2010, through which it shares details on it latest bugs and patches with other security firms.

In this instance, at least, Microsoft is certainly not in step with Adobe.