Adobe apologizes for 16-month-old Flash bug
Crash vulnerability 'slipped through the cracks,' admits company manager
Computerworld - Adobe Systems Inc. apologized over the weekend for letting a 16-month-old bug in Flash Player languish without a patch, even though it updated the popular plug-in four times since the flaw was reported.
The bug was fixed, said Adobe, in the beta of Flash Player 10.1, which was released last November. The final version of Flash Player 10.1, however, will not ship until later this year.
Security researcher Matthew Dempsky first reported the Flash vulnerability Sept. 22, 2008, according to Adobe's public bug tracking database. When exploited, the flaw causes Internet Explorer 6 and 7, and Firefox and Safari 3 to crash; in other browsers, the browser stays up while Flash Player goes down.
Although browser and plug-in crashes may seem relatively innocuous, they're valuable to attackers, who are often able to devise a way to inject malicious code after an application's crash, said Andrew Storms, director of security operations at nCircle Network Security Inc.
Dempsky has created a site that runs proof-of-concept attack code demonstrating the vulnerability. (Warning: The site will crash browsers equipped with current versions of Flash Player.)
Although the bug has been patched in Flash Player 10.1 Beta, it should have been fixed long before, an Adobe manager admitted Saturday. "The mistake we made was marking this bug for 'next' release, which is the soon-to-be-released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release," said Emmy Huang, product manager for Flash Player, in a post to a company blog.
In the 16 months since Dempsky reported the bug, Adobe patched Flash Player four different times, once in late 2008, then again in February, July and December of 2009.
Huang's explanation was that Dempsky reported the crash bug in the lead up to the release of Flash Player 10. "Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch," she said.
Even so, it was a snafu. "I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again," Huang said. "It slipped through the cracks, and it is not something we take lightly."
Huang also called crash bugs, which some vendors dismiss as second-class vulnerabilities, "serious 'A' priority bugs," and added that Adobe's policy is that "ActionScript developers should never be able to crash Flash Player." ActionScript is the scripting language supported by Flash.
An Adobe spokesman today declined to specify a release date for Flash Player 10.1, sticking to the company's earlier timeline of final version availability sometime in the first half of this year.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts