Adobe screw-up leaves Flash flaw unpatched for 16 months

Adobe screw-up leaves Flash flaw unpatched for 16 months

Summary: Adobe has acknowledged that an internal screw-up caused potentially dangerous Flash Player flaw to remain unpatched for more than 16 months

SHARE:

Adobe has acknowledged that an internal screw-up caused potentially dangerous serious Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.

"It slipped through the cracks," said Emmy Huang, a product manager for Flash Player.  Adobe's mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.

Matthew Dempsey, the researcher who found and reported the flaw in September 2008, explains the issue:

If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.

Dempsey's code, which completely crashes the browser, was tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe's Flash Player plug-in 9.0.115.0, 9.0.124.0, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.

Adob's policy is that software crashes are serious "A" priority bugs.

"If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously. When they happen, it can be the result of something going on purely within Flash Player, something in the browser, or even at the OS level," according to Adobe's Huang.

Huang said the issue was fixed in Flash Player 10.1 beta but was erroneously tagged to be fixed in the "next" release which meant that four different Flash Player 9 patches were released without this fix.

Here's the apology:

So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.

Adobe's Flash Player is among the most commonly exploited applications on Windows machine.

Topics: Security, Browser, Enterprise Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

63 comments
Log in or register to join the discussion
  • I find it amazing

    that Adobe always gets a free pass when it comes to security issues like this when OSes and browsers get routinely hammered. In fact I'll still bet that the discussion on this flaw will turn into a my browser vs. your browser or a my OS vs. your OS rather than a discussion about how Adobe's security record is worst than any of them.
    Michael Kelly
    • Zero competition

      this is what happens when you have no competitors. This should be a warning to all of those who think a MS or Apple owned world would be a good one.
      T1Oracle
      • The sad part

        is that what it would take to provide competition to Adobe would likely end up being considered anticompetitive itself.

        Let's use the example of Silverlight, since it's similar in its goals and the closest thing to competition that Adobe's got. What drives the userbase of Flash isn't so much the Flash player in itself, but instead that virtually every website requires it. Virtually every website requires it because every web designer I know has taken a college course or three in Flash. So the way to get wide exposure on the web is to get into the toolbox of a significant amount of web devlopers. A higher-than-average number of them work on Macs, have reference books for Flash, and have a college background in developing for the platform.

        Now among the reasons why Flash is so popular is because it's a safe bet that the end user has it installed. Silverlight is still hit-or-miss at this point, even given its exclusive use for video streaming of the Olympics. In order for Microsoft to attack this, the simplest way to ensure that the majority of users have it is to roll it out as a Windows Update, which they do...as an optional install, lest Adobe's legal department scream bloody murder about Microsoft being anticompetitive. So, Microsoft is stuck doing stuff like the Olympics.

        To get the Developer side back, they'd need to develop both a Windows and a Mac version of Expression Studio. The Mac version was ditched after the first release, for whatever reason (Wiki had no insight, maybe Mary Jo does?). The Expression Studio cost $599 retail, which is the same price as the upgrade version of the Adobe Creative Suite Web Premium, and more expensive then the $399 upgrade for Web Standard (though admittedly both full-version suites are more expensive). To make a dent in the Flash Developer market, Microsoft would have to "dump" their software, selling full version suites for like $49 or something like that, *and* write 101 textbooks for the suite, *and* weasel their way into college classrooms that otherwise teach Flash *and* train professors who have years of experience (and a nontrivial amount of them also having an ABM mentality). They'd have to do all of that on the developer end, do something shady to get Silverlight rolled out everywhere, and still have money left over to pay for the time in court that the DoJ and EU will be counting down hours and minutes to file, because somehow, some way, when one de facto monopoly (Adobe) goes up against another de facto monopoly (Microsoft), bucks to beans that somehow Adobe will be seen as the victim.

        Joey
        voyager529
        • A tad long but...

          ...a well thought out and presented reality the situation Joey.

          Nicely done.
          PollyProteus
        • Needs to be 3rd party

          The above is true & why, if there is to be an Adobe alternative, it needs
          to be 3rd party, not MS or Apple? For all the bashing, Adobe is a
          pretty amazing company? I live in their products & overall they serve
          very well.

          There WAS a very very good viable third party solution to many Adobe
          products in Creature House -- they had graphics software that was
          better in many ways than anything currently available? and then
          <sigh>, they got bought by MS which made the software into their
          Expressions (adjective deleted in respect for tender ears). Essentially
          MS (once again) took a really good product and killed it. We'd all be a
          lot better off if Creature House had been able to get venture capital
          and continue with their superb products.
          Carrie Johnson
          • How About Posting With Something Besides Safari?

            Drives me crazy that the great Apple can't make a Web standards compatible browser. Makes Apple posters look like idiots.
            PMC-CON
          • 'Tard...

            Actually, it's WebKit, so it affects Chrome, as well as other WebKit based
            Browsers. This is the [i]only[/i] site that this is an issue on. What make
            users look like idiots is ill-informed post, not malformed posts. So to fix
            that for you; "Drives me crazy that the mediocre ZDnet team can't
            make a Web standards complaint site. People that post here are
            generally idiots."
            webmaster@...
          • Posted with Chrome ....

            Just to see how bad this site is or not. Actually
            all FOSS software has severe limitations, so if it
            is Webkit, it just confirms how not-ready-for
            prime time FOSS software is.
            PMC-CON
          • Oh, Wait, Chrome Works, so it is Safari. Who's the 'tard now?

            You are a complete jerk. As opposed to a 'tard,
            you acquired your jerkiness from years of
            conceited practice.

            Try getting a life.
            PMC-CON
          • @PMC-CON

            This WAS posted with Safari and guess what? It
            works. So who's the uninformed 'Tard? Hmmmm
            athynz
          • Microsoft Expression...

            The current iteration of the Expression Suite is excellent. I've been
            using it since ver 2 and I'm very happy. it's also at a far more sensible
            price point than the awful and bloated Dreamweaver and Flash.
            Photoshop has become a bloated POS. The best version was 7. Had
            the right balance of tools and balance. Illustrator is probably the only
            decent "cant live without" piece of Adobe software. InDesign is alright.
            I still prefer Quark. As for competition on the Mac; Pixelmator does
            what most web desiners need or one could always opt for Acorn. For
            Development there is the [i]AMAZING[/i] TextMate, or if web is what
            you are about exclusively there's the excellent Coda and Espresso. The
            amount of independant developers working on Mac apps id
            astounding, as is the quality of these apps...
            webmaster@...
          • I wouldn't mind that...

            but then the playing field becomes even more difficult. You have Adobe, the incumbent, Microsoft, the small-but-still-there-and-isn't-going-away competitor...and $SOFTWARE_NUMBER_3. Who, at present, has something comparable to Flash but with a better security record besides Silverlight? Nothing is coming to my head (well, HTML5 officially is supposed to do much of it, but Flash still has many advantages from a designer's point of view, and technically there's Java...).

            So what you're suggesting is that another company come up with design tools for both Windows and Mac, plus a player plugin for windows/mac/linux/android/winmo/iPhoneOS/WebOS that is more secure than either Flash or Silverlight, publish textbooks, weasel their way into classrooms, and do all of this at no more than half the price of Flash Professional.

            If you design it, Carrie, I promise I'll buy a copy just on principle, and I'll do my best to spread the word to every developer I know.

            In reality though, the circumstances obviously make the barrier to entry extremely high, to the point where you almost need someone like Microsoft or Google to do it, because it's too late to "get big fast". If a startup tries this, they will bleed for a fairly long time, until Flash starts losing ground. Even that will take a while, as long as Youtube uses it.

            Joey
            voyager529
        • Because Adobe don't own the OS that most people use.

          If they did, and used that power to force everyone into using
          Flash, you'd probably see [i]them[/i] getting in trouble.
          AzuMao
        • That would replacing bad with worse

          <nt>
          minardi
        • That would replacing bad with worse

          Silverlight constantly craps out. So does Flash. QuickTime...
          minardi
          • There's always Java.

            It's rather heavy, but it works, has a decent
            penetration already, is free, and is stable on all
            OSs.

            Also there's a lot of material and training
            available for it already, and it has uses outside
            of the browser world, meaning skills from other
            areas carry over a lot, as opposed to Flash and
            the like.
            AzuMao
          • Java works well for programmers...

            ...but you still need to get *DESIGNERS* to use it. Yes, it's cross-platform, yes, it has a large install base, and yes, there are uses for it both inside the browser and outside of it. The problem is, while I admittedly haven't looked too hard, I'm unaware of a Java development studio that's built for designers instead of programmers. That's the starting point.

            Joey
            voyager529
          • ???

            Wouldn't people design their pictures or layout or
            whatever the same way regardless of what they're
            having someone write the program in?
            AzuMao
      • re: zero competition

        Isn't Silverlight supposed to be the Flash alternative?

        Sorry, I didn't read the previous rambling which may have said the same
        thing.
        clarnT
    • So I DON'T find it amazing...

      that Apple doesn't want to have such garbage software embedded in
      their mobile devices.
      arminw