Google engineer, Adobe squabble over Flash bug credit
Adobe says it patched 13 flaws in Tuesday's Flash Player update; Google's researcher claims he reported 'around 400'
Computerworld - Adobe patched 13 critical bugs in its nearly-ubiquitous Flash Player on Tuesday, but came under quick criticism from a security engineer who works for Google, a close partner of Adobe.
Although Adobe listed a baker's dozen of bugs fixed in the patched Flash, Google employee Tavis Ormandy took to Twitter to contest that number.
"Adobe patched around 400 unique vulnerabilities I had sent them in APSB11-21 as part of an ongoing security audit," Ormandy said on Twitter late Tuesday. "Not a typo."
APSB11-21 is Adobe's designation for the security bulletin that accompanied the revised Flash Player.
Ormandy was apparently upset that he was not credited for his bug reports in the bulletin, which while giving a nod to 10 researchers, said of Google and Ormandy only that "Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release."
In response to Ormandy's first tweet on the topic, Adobe's senior manager of corporate communications, Wiebke Lips, also used the micro-blogging service. "Tavis, please do not confuse sample files with unique vulnerabilities. What is Google's agenda here?" asked Lips.
"I don't know what Google's agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented," countered Ormandy, who in a follow-up tweet, accused Adobe of trying to "bury the results" because his tally of 400 was "embarrassingly high." He also promised to issue his own advisory later on Tuesday.
Others chimed in as well with their own observations.
"Google's laissez-faire mentality with regard to @taviso's personal research leads to some hilarious situations. It is fun to watch," said Aaron Portnoy, manager of HP's TippingPoint security research team, in a Tuesday tweet of his own.
TippingPoint is the largest independent bug broker that pays bounties to researchers who report vulnerabilities.
As Portnoy hinted, Ormandy is no stranger to controversy.
There were clues earlier in the day of a possible spat between Google and Adobe. Several hours before Adobe released the Flash Player update, Google released new versions of the "stable" and "beta" builds of Chrome 13 and Chrome 14, respectively. Both included a patched version of Flash Player.
On the blog announcing the new versions of Chrome, Google said, "The Chrome Team would especially like to thank Tavis Ormandy, the Google Security Team, and Google for donating a large amount of time and compute power to identify a significant number of vulnerabilities resolved in this release of Flash Player."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts