Adobe took pains to defuse a dispute between the company and famed Google security researcher Tavis Ormandy, posting more information about the holes fixed with a patch for its Flash Player software. Adobe had claimed that 13 separate vulnerabilities were patched with the bulletin APSB11-21, while Ormandy said that patch addressed hundreds of holes.
In a blog post, Brad Arkin, Adobe’s Senior Director of Product Security and Privacy said the discrepancy was the result of different standards for what is counted as a unique bug.
Arkin’s blog post follows some vocal criticism of Adobe by Ormandy, who complained publicly last week that Adobe had overlooked his and Google’s contributions to the patch and was undercounting software holes.
In a response released Friday, Arkin said that the differences between the two firms boiled down to nomenclature. Ormandy was referring to “unique crash signatures” produced during automated testing (or “fuzzing”) of Flash Player. However, Adobe says that the crash signatures were triaged down to 106 individual security bugs resulting in around 80 code changes to repair.
According to Arkin, Adobe’s process for ascribing software holes to a unique CVE (Common Vulnerabilities and Exposures) number is consistent. Externally reported vulnerabilities and zero days that are in the wild get CVEs. Bugs identified by Adobe engineers and partners in Adobe’s Secure Product Lifecycle (SPLC) program aren’t. But, Arkin points out, there’s always room for interpretation. In the case of the Adobe Reader holes, Adobe merely considered the bugs that Ormandy and other Google engineers discovered as internally disclosed holes uncovered as part of the SPLC work and, thus, not entitled to a CVE number. No disrespect.
In a companion blog post, Ormandy and the members of Google’s Online Security Team essentially backed up Adobe’s account of events – explaining how Google’s huge computing resources were harnessed to find vulnerabilities in Adobe’s flash software.
Google’s servers cranked through 20 terabytes of Flash format SWF files, yielding a test set of 20,000 files that allowed Google to “fuzz” (or test) unusual code paths within Flash. Three weeks of fuzzing against 2,000 CPU cores yielded the 400 odd crash points, which Adobe analyzed and distilled down to around 80 unique vulnerabilities.
The twin posts were an anticlimactic and largely hospitable resolution to the dispute that erupted last week, after Ormandy alleged that Adobe was downplaying the number of vulnerabilities addressed in APSB11-21.
This isn’t the first time Ormandy has clenched teeth concessions from software firms. Notably: Microsoft updated its vulnerability disclosure policy after Ormandy released details of a vulnerability in the Windows Help Center after what he claimed was foot dragging by Microsoft in fixing the hole.