Adobe claims to have known of Flash issue prior to CanSecWest '08, patch is on the way

Adobe claims to have known of Flash issue prior to CanSecWest '08, patch is on the way

Summary: In a comment in a talkback on the original issue discovered in Adobe Flash that led to the compromise of the Vista machine at the Pwn2Own contest, an Adobe representitive, Erick Lee, Manager of Adobe Secure Software Engineering Team (ASSET), claimed that Adobe knew of the flaw and has a patch on the way. This announcement acknowledges that Adobe knew of the risk, accepted it as their own, and was working on fixing it.

SHARE:

In a comment in a talkback on the original issue discovered in Adobe Flash that led to the compromise of the Vista machine at the Pwn2Own contest, an Adobe representitive, Erick Lee, Manager of Adobe Secure Software Engineering Team (ASSET), claimed that Adobe knew of the flaw and has a patch on the way. 

This announcement acknowledges that Adobe knew of the risk, accepted it as their own, and was working on fixing it.  Kudos to Adobe for having been on the ball getting this going and into a patch.  An excerpt from their blog addresses this:

On Friday March 28, 2008 during the CanSecWest 2008 security conference Shane Macaulay of Security Objectives uncovered a potential security issue with Flash Player. Adobe Product Incident Response Team (PSIRT) received information regarding the exploit from TippingPoint, who sponsored the contest, on Friday evening. After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month.

What should I do as a customer?

We have fixed the issue and it will be in our next update coming later this month. Adobe is not aware of any active exploits in wild. The security researchers have reported the information to us responsibly giving the Flash Player team time to investigate and deliver a patch to you. We will provide more information as it becomes available.

*This posting is provided "AS IS" with no warranties, and confers no rights.*

Topics: Enterprise Software, CXO, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • "What should I do as a customer?" NoScript!

    Sorry Adobe, that's not the way to give advices.
    Any vulnerability report I've seen involving browser stuff honestly recommended to disable (Java|JavaScript|Flash) until the vulnerability was patched.
    Now, just because you're "not aware of any active exploits in wild" we should be happy and go anywhere with Flash enabled, even if Mr. Macaulay revealed some pretty nice hints about where to look for your hole and how to exploit it for remote execution?!
    There's only one way of do safe browsing nowadays, and it's [u=http://noscript.net]using NoScript[/u]!
    Prophet Elias
    • /me = loves NoScript

      Shouts to Georgio Maone for giving us such a great tool! If you don't know, now you know: http://noscript.net/.

      -Nate
      nmcfeters
      • Beats my recommendation...

        Cut the network cable and call it a day. After that. I worry very little about those evil hackers taking over my PC. Oh wait, I have to disable my non existing wireless adapter too. And who gave me a cordless mouse to be exploited. Oh man, am I in trouble.

        I might have to rethink my method of security.
        nucrash
        • Hahaha

          Always good for a laugh
          nmcfeters
    • noscript = no contents = welcome into prehistory of plain static web

      noscript = no contents = welcome into prehistory of plain static web
      qmlscycrajg
      • noscript causes me little trouble

        noscript is a tool and, as with any other tool, takes practice and experience to use properly. I initially found it overly restrictive; it became less restrictive with time and practice. I no longer find it difficult to use or restrictive, in fact I have it installed on all my systems, both at home and at work. I won't surf without it.

        Besides, even in the days of Mosaic and Lynx, the web was far from "static". In some ways, I found it far more exciting and interesting then - now it's an everyday object that is home to far too many idjits and maroons.
        Lizzie_B
  • RE: Adobe claims to have known of Flash issue prior to CanSecWest '08, patc

    how is this news??? every week i get updates from MS of vulnerabilities that allow a hacker to take over my pc. in the words of chris crocker, "leave adobe alone... waaah" ;)
    dorkiedorkfromdorktown