February 9, 2010, 11:56AM
Adobe Error Leaves Flash Flaw Unpatched for 16 Months
1 Comment
Adobe has acknowledged that an internal screw-up caused a potentially dangerous Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.
"It slipped through the cracks," said Emmy Huang, a product manager for Flash Player. Adobe's mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.
Matthew Dempsey, the researcher who found and reported the flaw in September 2008, explains the issue:
If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.
Dempsey's code, which completely crashes the browser, was tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe's Flash Player plug-in 9.0.115.0, 9.0.124.0, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.
According to Adobe's Huang, the issue was fixed in Flash Player 10.1 beta but was erroneously tagged to be fixed in the "next" release which meant that four different Flash Player 9 patches were released without this fix.
Here's the apology:
So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.
Adobe's Flash Player is among the most commonly exploited applications on Windows machine.
UPDATE: Adobe's Brad Arkin says this is not considered a security vulnerability.
Commenting on this Article is closed.
Today's Most Popular
- Yahoo Includes Private Key in Source File For Axis Chrome Extension
- Researchers Unveil New Way to Trust Certificates
- FBI Warns Top Firms Of Anonymous Protest Hacks on May 25
- DNSChanger Lingers: 330k Systems Still Infected, 77,000 In The U.S.
- Defense Contractor Northrop Grumman Hiring For Offensive Cyber Ops
Most Commented Stories
Newsletter Sign-up
Take Our Poll
The Internet Crime Complaint Center recently warned of malware targeting travelers connecting to Wi-Fi. When traveling, do you
Connect to anything
23%
Only connect to password-protected, secure connections
38%
Only use websites with HTTPS
27%
I don’t pay attention to how I access the internet while traveling
13%
Total votes: 71
Follow Threatpost
 |  |  |  |
| Tumblr |
Comments
And you wonder why Apple doesn't want to support Flash on the iPhone, iTouch, or soon to be released iPad.