Adobe released its August software patches on Tuesday and immediately found itself in hot water with Google researcher Tavis Ormandy, who claims the firm is downplaying the extent of security flaws in its products. 

The company released five security bulletins covering 23 separate vulnerabilities on Tuesday. The patches were for a range of products including Shockwave, Flash Media Server, Flash Player, Photoshop and Robohelp. Four of the five bulletins were rated “critical,” meaning that they could allow malicious code to run without the knowledge or consent of the user. 

The release prompted a rare rebuke from famed Google security researcher Tavis Ormandy, who alleged that Adobe was downplaying the number of vulnerabilities addressed in one of the patches: APSB11-21. According to Ormandy, that patch actually covered an astounding 400 separate vulnerabilities, rather than the 13 identified by Adobe. 

According to Adobe, the APSB11-21 patch covers a range of vulnerabilities in Adobe’s Flash Player and Adobe Air for all supported platforms. Those include buffer and integer overflows in Flash Player and Air, along with other memory corruption problems. It is rated critical, with the holes making Flash and Air vulnerable to attacks that could crash the applications and allow an attacker to take control of the affected system, Adobe warned.

Ormandy, who clashed with software giant Microsoft over vulnerability disclosure in June, 2010, promised to release his own advisory detailing the hundreds of vulnerabilities, though none has been forthcoming. 

Adobe spokeswoman Wiebke Lips said that Ormandy’s Twitter communication was not coordinated with Adobe, but acknowledged that Google and Adobe are engaged in a “joint engineering effort,” but that “the total number of unique bugs discussed as part of that project is far less than the number Tavis provided in his tweet.”

The difference between Ormandy and Adobe may hang on the term “unique bugs.” Researchers have speculated that Ormandy may be referring to the outcome of so-called “fuzzing” of Adobe’s software, versus fixes that can be leaked to specific vulnerabilities, as identified by CVE numbers. 

Adobe said, through its spokeswoman, that the company makes a policy of not disclosing details about internal findings in  security bulletins. “Adobe has an ongoing cooperation with Google, and we greatly appreciate the assistance of the Google Chrome team on this and other projects that are part of this cooperation,” the spokeswoman wrote. 

In an e-mail to Threatpost, Lips said that Adobe treats the outcome of joint engineering projects with Google and other vendors as “internal findings, (the) details of which are not disclosed in our security bulletins.” In other words: Adobe was under no obligation to reveal everything that internal tests uncovered – just fixes for vulnerabilities that had already been publicly identified. “There were no expectations in our coordinated communication with Google that details of this project beyond the acknowledgement we provided in the bulletin would be disclosed,”she wrote. 

Ormandy could not immediately be reached for comment. 

Categories: Malware, Vulnerabilities, Web Security