Adobe Error Leaves Flash Flaw Unpatched for 16 Months

Adobe has acknowledged that an internal screw-up caused a potentially dangerous Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.”It slipped through the cracks,” said Emmy Huang, a product manager for Flash Player. Adobe’s mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.

Adobe has acknowledged that an internal screw-up caused a potentially dangerous Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.

“It slipped through the cracks,” said Emmy Huang, a product manager for Flash Player. Adobe’s mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.
Matthew Dempsey, the researcher who found and reported the flaw in September 2008, explains the issue:

If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.

Dempsey’s code, which completely crashes the browser, was tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe’s Flash Player plug-in 9.0.115.0, 9.0.124.0, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.

According to Adobe’s Huang, the issue was fixed in Flash Player 10.1 beta but was erroneously tagged to be fixed in the “next” release which meant that four different Flash Player 9 patches were released without this fix.

Here’s the apology:

So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for “next” release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn’t happen again. It slipped through the cracks, and it is not something we take lightly.

Adobe’s Flash Player is among the most commonly exploited applications on Windows machine.

UPDATE:  Adobe’s Brad Arkin says this is not considered a security vulnerability.

Suggested articles