I wrote about Adobe’s (ADBE) problem with writing secure software earlier. The problems still exists according to an article in Help Net Security. The article lays out claims by Google (GOOG) researcher Tavis Ormandy that he notified Adobe of some 400 holes in Flash Player. According the the article, Adobe fell short on the latest Flash patch. In the article Mr. Ormandy claims that Adobe’s latest release of Flash:
Only patched 13 fixed holes in the application, failed to document other holes; and- Did not give credit to those that found the bugs using a technique called fuzzing to reveal the bugs.
the Google researchers wrote on their blog, “The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs … each crash was treated as though it were potentially exploitable and addressed by Adobe. In the final analysis, the Flash Player update Adobe shipped earlier this week contained about 80 code changes to fix these bugs.”
Help Net Security notes that after an initial silence on the matter, Adobe told Computerworld, that Mr. Ormandy had reported some 80 bugs in Flash Player, but defended their decision to not list all the vulnerabilities in the released security bulletins by saying that it usually doesn’t reveal or mention vulnerabilities found internally – by them or their partners. Also, the question is whether all those 80 flaws would lead to an exploitable hole. It seems that Adobe believes that only holes get a CVE number.
Related articles
What do you think?
Loading ...Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedIn, Facebook and Twitter. Email the Bach Seat here.