ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Adobe screw-up leaves Flash flaw unpatched for 16 months

By | February 9, 2010, 8:49am PST

Summary: Adobe has acknowledged that an internal screw-up caused potentially dangerous Flash Player flaw to remain unpatched for more than 16 months

Adobe has acknowledged that an internal screw-up caused potentially dangerous serious Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.

“It slipped through the cracks,” said Emmy Huang, a product manager for Flash Player.  Adobe’s mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.

Matthew Dempsey, the researcher who found and reported the flaw in September 2008, explains the issue:

If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.

Dempsey’s code, which completely crashes the browser, was tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe’s Flash Player plug-in 9.0.115.0, 9.0.124.0, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.

Adob’s policy is that software crashes are serious “A” priority bugs.

“If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously. When they happen, it can be the result of something going on purely within Flash Player, something in the browser, or even at the OS level,” according to Adobe’s Huang.

Huang said the issue was fixed in Flash Player 10.1 beta but was erroneously tagged to be fixed in the “next” release which meant that four different Flash Player 9 patches were released without this fix.

Here’s the apology:

So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for “next” release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn’t happen again. It slipped through the cracks, and it is not something we take lightly.

Adobe’s Flash Player is among the most commonly exploited applications on Windows machine.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Adobe Systems Inc., Flaw, Macromedia Flash Player, Web Browsers, Security, Internet, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
63
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat
View in thread
0 Votes
+ -
I find it amazing
Michael Kelly 9th Feb 2010
that Adobe always gets a free pass when it comes to security issues like this when OSes and browsers get routinely hammered. In fact I'll still bet that the discussion on this flaw will turn into a my browser vs. your browser or a my OS vs. your OS rather than a discussion about how Adobe's security record is worst than any of them.
0 Votes
+ -
Zero competition
T1Oracle 9th Feb 2010
this is what happens when you have no competitors. This should be a warning to all of those who think a MS or Apple owned world would be a good one.
0 Votes
+ -
The sad part
voyager529 9th Feb 2010
is that what it would take to provide competition to Adobe would likely end up being considered anticompetitive itself.

Let's use the example of Silverlight, since it's similar in its goals and the closest thing to competition that Adobe's got. What drives the userbase of Flash isn't so much the Flash player in itself, but instead that virtually every website requires it. Virtually every website requires it because every web designer I know has taken a college course or three in Flash. So the way to get wide exposure on the web is to get into the toolbox of a significant amount of web devlopers. A higher-than-average number of them work on Macs, have reference books for Flash, and have a college background in developing for the platform.

Now among the reasons why Flash is so popular is because it's a safe bet that the end user has it installed. Silverlight is still hit-or-miss at this point, even given its exclusive use for video streaming of the Olympics. In order for Microsoft to attack this, the simplest way to ensure that the majority of users have it is to roll it out as a Windows Update, which they do...as an optional install, lest Adobe's legal department scream bloody murder about Microsoft being anticompetitive. So, Microsoft is stuck doing stuff like the Olympics.

To get the Developer side back, they'd need to develop both a Windows and a Mac version of Expression Studio. The Mac version was ditched after the first release, for whatever reason (Wiki had no insight, maybe Mary Jo does?). The Expression Studio cost $599 retail, which is the same price as the upgrade version of the Adobe Creative Suite Web Premium, and more expensive then the $399 upgrade for Web Standard (though admittedly both full-version suites are more expensive). To make a dent in the Flash Developer market, Microsoft would have to "dump" their software, selling full version suites for like $49 or something like that, *and* write 101 textbooks for the suite, *and* weasel their way into college classrooms that otherwise teach Flash *and* train professors who have years of experience (and a nontrivial amount of them also having an ABM mentality). They'd have to do all of that on the developer end, do something shady to get Silverlight rolled out everywhere, and still have money left over to pay for the time in court that the DoJ and EU will be counting down hours and minutes to file, because somehow, some way, when one de facto monopoly (Adobe) goes up against another de facto monopoly (Microsoft), bucks to beans that somehow Adobe will be seen as the victim.

Joey
0 Votes
+ -
A tad long but...
PollyProteus 9th Feb 2010
...a well thought out and presented reality the situation Joey.

Nicely done.
0 Votes
+ -
Needs to be 3rd party
Carrie Johnson 9th Feb 2010
The above is true & why, if there is to be an Adobe alternative, it needs
to be 3rd party, not MS or Apple? For all the bashing, Adobe is a
pretty amazing company? I live in their products & overall they serve
very well.

There WAS a very very good viable third party solution to many Adobe
products in Creature House -- they had graphics software that was
better in many ways than anything currently available? and then
, they got bought by MS which made the software into their
Expressions (adjective deleted in respect for tender ears). Essentially
MS (once again) took a really good product and killed it. We'd all be a
lot better off if Creature House had been able to get venture capital
and continue with their superb products.
0 Votes
+ -
How About Posting With Something Besides Safari?
PMC-CON 9th Feb 2010
Drives me crazy that the great Apple can't make a Web standards compatible browser. Makes Apple posters look like idiots.
0 Votes
+ -
'Tard...
webmaster@... Updated - 9th Feb 2010
Actually, it's WebKit, so it affects Chrome, as well as other WebKit based
Browsers. This is the only site that this is an issue on. What make
users look like idiots is ill-informed post, not malformed posts. So to fix
that for you; "Drives me crazy that the mediocre ZDnet team can't
make a Web standards complaint site. People that post here are
generally idiots."
0 Votes
+ -
Posted with Chrome ....
PMC-CON 9th Feb 2010
Just to see how bad this site is or not. Actually
all FOSS software has severe limitations, so if it
is Webkit, it just confirms how not-ready-for
prime time FOSS software is.
0 Votes
+ -
Oh, Wait, Chrome Works, so it is Safari. Who's the 'tard now?
PMC-CON 9th Feb 2010
You are a complete jerk. As opposed to a 'tard,
you acquired your jerkiness from years of
conceited practice.

Try getting a life.
0 Votes
+ -
@PMC-CON
Pete "athynz" Athens 10th Feb 2010
This WAS posted with Safari and guess what? It
works. So who's the uninformed 'Tard? Hmmmm
0 Votes
+ -
Microsoft Expression...
webmaster@... 9th Feb 2010
The current iteration of the Expression Suite is excellent. I've been
using it since ver 2 and I'm very happy. it's also at a far more sensible
price point than the awful and bloated Dreamweaver and Flash.
Photoshop has become a bloated POS. The best version was 7. Had
the right balance of tools and balance. Illustrator is probably the only
decent "cant live without" piece of Adobe software. InDesign is alright.
I still prefer Quark. As for competition on the Mac; Pixelmator does
what most web desiners need or one could always opt for Acorn. For
Development there is the AMAZING TextMate, or if web is what
you are about exclusively there's the excellent Coda and Espresso. The
amount of independant developers working on Mac apps id
astounding, as is the quality of these apps...
0 Votes
+ -
I wouldn't mind that...
voyager529 Updated - 9th Feb 2010
but then the playing field becomes even more difficult. You have Adobe, the incumbent, Microsoft, the small-but-still-there-and-isn't-going-away competitor...and $SOFTWARE_NUMBER_3. Who, at present, has something comparable to Flash but with a better security record besides Silverlight? Nothing is coming to my head (well, HTML5 officially is supposed to do much of it, but Flash still has many advantages from a designer's point of view, and technically there's Java...).

So what you're suggesting is that another company come up with design tools for both Windows and Mac, plus a player plugin for windows/mac/linux/android/winmo/iPhoneOS/WebOS that is more secure than either Flash or Silverlight, publish textbooks, weasel their way into classrooms, and do all of this at no more than half the price of Flash Professional.

If you design it, Carrie, I promise I'll buy a copy just on principle, and I'll do my best to spread the word to every developer I know.

In reality though, the circumstances obviously make the barrier to entry extremely high, to the point where you almost need someone like Microsoft or Google to do it, because it's too late to "get big fast". If a startup tries this, they will bleed for a fairly long time, until Flash starts losing ground. Even that will take a while, as long as Youtube uses it.

Joey
0 Votes
+ -
Because Adobe don't own the OS that most people use.
AzuMao 9th Feb 2010
If they did, and used that power to force everyone into using
Flash, you'd probably see them getting in trouble.
0 Votes
+ -
That would replacing bad with worse
minardi 10th Feb 2010
0 Votes
+ -
That would replacing bad with worse
minardi 10th Feb 2010
Silverlight constantly craps out. So does Flash. QuickTime...
0 Votes
+ -
There's always Java.
AzuMao 10th Feb 2010
It's rather heavy, but it works, has a decent
penetration already, is free, and is stable on all
OSs.

Also there's a lot of material and training
available for it already, and it has uses outside
of the browser world, meaning skills from other
areas carry over a lot, as opposed to Flash and
the like.
0 Votes
+ -
Java works well for programmers...
voyager529 10th Feb 2010
...but you still need to get *DESIGNERS* to use it. Yes, it's cross-platform, yes, it has a large install base, and yes, there are uses for it both inside the browser and outside of it. The problem is, while I admittedly haven't looked too hard, I'm unaware of a Java development studio that's built for designers instead of programmers. That's the starting point.

Joey
0 Votes
+ -
???
AzuMao 11th Feb 2010
Wouldn't people design their pictures or layout or
whatever the same way regardless of what they're
having someone write the program in?
0 Votes
+ -
re: zero competition
clarnT 9th Feb 2010
Isn't Silverlight supposed to be the Flash alternative?

Sorry, I didn't read the previous rambling which may have said the same
thing.
0 Votes
+ -
So I DON'T find it amazing...
arminw 10th Feb 2010
that Apple doesn't want to have such garbage software embedded in
their mobile devices.
0 Votes
+ -
RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
Pete "athynz" Athens 9th Feb 2010
Not that I want to start a flame war or promoting Apple or Steve jobs but I will say he was spot on when he called Adobe lazy... this is just further proof of that. And proof that, like T1Oracle says, shows what a world owned by Microsoft, Apple, or any one company would be like. Funny, people bust on Apple for being a monopoly, there was the lawsuits over Microsoft engaging in monopolistic practices, but where was/ is the outrage over Adobe?
0 Votes
+ -
Wasn't Jobs Just complaining About This?
WarhavenSC 9th Feb 2010
Kind of funny, since Jobs was just talking about this very thing before this became public. lol.
0 Votes
+ -
RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
w.altman@... 9th Feb 2010
flashplayer totally screwed my computer.
my registry is so fried I'm looking at
a total windows reinstall.
0 Votes
+ -
A computer without a registry...
arminw 10th Feb 2010
such as OS X or Linux will fix that problem.
0 Votes
+ -
Flash sucks so bad it could crash an abacus.
AzuMao 10th Feb 2010
0 Votes
+ -
System Mechanic Pro 9...
Raymond Danner Updated - 10th Feb 2010
Sounds like you need to scan with SMP9; I've a full license (3 PC) for it because it simply works. Setting it up for automatic defouling of the registry is a snap... and again, simply works, albeit at the cost of a longer boot time about 1-3x a week.

Check http://www.iolo.com for the trial, which is (IIRC) totally functional. Good luck!
0 Votes
+ -
RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
w.altman@... 9th Feb 2010
flashplayer totally fried my computer registry.
I'm looking at a windows reinstall
0 Votes
+ -
How did Flash totally hose your entire registry?
de-void-21165590650301806002836337787023 9th Feb 2010
Any details you can share?
0 Votes
+ -
It causes him to double post for starters....
i8thecat 9th Feb 2010
LOL
0 Votes
+ -
If he'd known how the attack worked he'd probably have known how to prevent
AzuMao 10th Feb 2010
it. So probably not.
0 Votes
+ -
Try going here:
msalzberg 9th Feb 2010
http://flashcrash.dempsky.org/

See what happens. It's not malicious, just fun.
0 Votes
+ -
No crash here
davidhite Updated - 9th Feb 2010
Did not crash my browser

EDIT:
yeah it did
0 Votes
+ -
Crashed
Clayman1000x 9th Feb 2010
Yep, crashed my
FF browser too.
0 Votes
+ -
I Didn't Experience A Flash Crash, Dempsky!
SpillChucker 9th Feb 2010
http://flashcrash.dempsky.org/ ???

What are you talking about? You're nuts! This didn't crash ANY of my
browsers ... Safari, Firefox, Chrome!


Oh! That's right! I uninstalled Flash Player! Your website requires Flash?
You won't see me around your site. I was surprised how much more
responsive Snow Leopard is now. I'll never reinstall it. There's nothing
Flash I can't live without.
0 Votes
+ -
IE, OmniWeb, FireFox crashed.
Bruizer 9th Feb 2010
Safari and Chrome simply crashed the Adobe content but the browser
lived.
0 Votes
+ -
IE8 Invulnerable?
PMC-CON 9th Feb 2010
Didn't crash IE8 as far as I can tell. (No
message, tab still responds.) Chrome 4.x showed
that the plugin crashed. Firefox glorious Firefox
3.6crashed and burned.
0 Votes
+ -
No crash with x64 Linux Chromium..
AzuMao 10th Feb 2010
..even played a video on YouTube with it open.

Is it just the Windows version that is bugged? The article said
it crashes under Safari (which uses the same engine as
Chromium) so I'm guessing it's not browser dependent.
0 Votes
+ -
No crash for IE8 on Win7
Jeff Richardson Updated - 10th Feb 2010
I saw the blue box, but my browser did not crash. Is it IE8 or Win7 that protected me?

Edit: Win 7 x64
0 Votes
+ -
Did not crash
hill60 9th Mar 2010
Safari on my Mac, but then again I've got Flash 10.1 beta plugin.

Shockwave Flash
Shockwave Flash 10.1 d51 ? from file ?Flash Player.plugin?.
0 Votes
+ -
RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
martinmm 9th Feb 2010
Guess the "traps full alert" had a short
0 Votes
+ -
RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
pjones 9th Feb 2010
That's not surprising. There support forums since changed to Jive Clear space has been atrocious. And Support has been almost non existent since shipping the support network to India. people can't understand each other and the support team just reads from pre-approved scripts. The change to OSX.6.2 has caught them flat footed/ Most people have problems updating software and creating PDF through InDesign and Acrobat and other adobe products are problematic for Mac users. In other words adobe is a mess and they are alienating large chunks of their user base, Not just on The Mac side of things.
0 Votes
+ -
Flash Sucks!!!
i8thecat 9th Feb 2010
Flash has been the bane of computer security for a
decade... It sucks and I will be happy to see it go
away...

And I have to agree with SpillChucker... Browsing the
web without flash is a much better experience...
0 Votes
+ -
Click to Flash.
Bruizer 9th Feb 2010
Great Safari plug in.

Flash is a RPITA on IE and FireFox. At least Safari and Chrome are a bit
more graceful.

95% of the time, I am really glad the iPhone does not do Flash. There are
times, however, I wish it did. But not mostly.
0 Votes
+ -
Flashblock
wackoae 9th Feb 2010
You will be amazed at how many websites use hidden flash scripts.

Flashblock will show you an icon and will block anything Flash from running. A user can enable it by clicking on the icon. It can also white-list webpages.

Gotta love Firefox and all the good add-ons.
0 Votes
+ -
Security error or bug?
szisk 9th Feb 2010
Maybe I am missing something here? This seems to be a real bug, but how is it a security problem? No one has claimed an "exploit" or any bad behavior other than the crash. Let's not reflexively label every crash caused by a browser component as a security flaw!

And yes, I know that Flash does have a *horrible* record of behaving badly (including some exploitable flaws) in response to flash-malware or badly programmed objects - the unfortunately common array of buffer under/overflows, type mismatches, protocol failures, etc.

Also, note that some of the problem (and the laziness) is simply bad programming practices by flash *creators*, not just Adobe. This is similar to ugly bits of performance or bad security practices in JavaScript (or server-side JSP, SQL injection, etc.). No one claims that the database itself has a bug when a site allows a SQL injection exploit, but people *rightly* claim that SQL was not designed with SQL-based web sites as a security target.
0 Votes
+ -
Both and either, depending on OS
i8thecat Updated - 9th Feb 2010
Over the last decade, adobe reader and flash
have been the number 1 attack vectors for virii
and malware on PCs... More exploits and virii
have been written to come in through adobe
flaws/holes than any other source... Even more
than windows itself...

Granted, without adobe, those programmers would
have to focus on something else, but adobe is
and has been the lowest common denominator for
the past decade. And yes... That makes them
extremely lazy and a thorn in the side of
computer users everywhere, but especially for
windows users... On Macs, Flash is buggy, on
windows flash is a broken pane, inviting the
exploits in.

It's a real simple fix... Stop using flash...
And when flash websites stop getting hits and
stop generating revenue for morons, then they
will switch back to boring and safe HTML and/or
look into HTML 5.
0 Votes
+ -
The fact that..
AzuMao 11th Feb 2010
..a malicious site can crash it is a
vulnerability in itself.

Most likely, it is crashing because code is
being corrupted, or something that isn't code is
being executed, meaning that this could be
refined to execute arbitrary code instead of
just making random crashes.

You might say this is the fault of the attacker
for making an evil Flash applet that does these
evil things to Flash, but really the only
solution is to not have vulnerabilities in
Flash.

Your comparison is completely wrong.

The only error made by the user is enabling of
Flash.
0 Votes
+ -
I agree...
lehnerus2000 9th Feb 2010
I agree with you (for a change) and SpillChucker.

Flash is AWFUL!

Whenever I am browsing the Internet and my browser starts acting up, it is usually because I allowed Flash to run on some web page. It also drives my CPU crazy with its stupid processing requirements.

I block it (by default) with NoScript (on Firefox).

lehnerus2000
0 Votes
+ -
Oh yeah!
mbrierley 11th Feb 2010
Totally agree. I understand why Apple ditched flash on the iPad and
iPhone. Why make yourself suffer?

In fact, on Snow Leopard I installed ClickToFlash. I get to decide when
flash runs now - and the answer is not very often! Hell, and buggy sites
(or buggy flash - not certain which one, load like a wet dream. Errm or
something like that happy
0 Votes
+ -
RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
martin.77084@... 9th Feb 2010
So, to skip past all the garbage, is the flaw fixed now? I couldn't see that answered in the article. The rest of it is of no value.
0 Votes
+ -
RE: Adobe screw-up leaves Flash flaw unpatched for 16 months
efsane Updated - 8th Apr 2011
Great!!! thanks for sharing this information to us!
sesli sohbet sesli chat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix