Adobe screw-up leaves Flash flaw unpatched for 16 months
Summary: Adobe has acknowledged that an internal screw-up caused potentially dangerous Flash Player flaw to remain unpatched for more than 16 months
Adobe has acknowledged that an internal screw-up caused potentially dangerous serious Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.
"It slipped through the cracks," said Emmy Huang, a product manager for Flash Player. Adobe's mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.
Matthew Dempsey, the researcher who found and reported the flaw in September 2008, explains the issue:
If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.
Dempsey's code, which completely crashes the browser, was tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe's Flash Player plug-in 9.0.115.0, 9.0.124.0, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.
Adob's policy is that software crashes are serious "A" priority bugs.
"If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously. When they happen, it can be the result of something going on purely within Flash Player, something in the browser, or even at the OS level," according to Adobe's Huang.
Huang said the issue was fixed in Flash Player 10.1 beta but was erroneously tagged to be fixed in the "next" release which meant that four different Flash Player 9 patches were released without this fix.
Here's the apology:
So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.
Adobe's Flash Player is among the most commonly exploited applications on Windows machine.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I find it amazing
Zero competition
The sad part
Let's use the example of Silverlight, since it's similar in its goals and the closest thing to competition that Adobe's got. What drives the userbase of Flash isn't so much the Flash player in itself, but instead that virtually every website requires it. Virtually every website requires it because every web designer I know has taken a college course or three in Flash. So the way to get wide exposure on the web is to get into the toolbox of a significant amount of web devlopers. A higher-than-average number of them work on Macs, have reference books for Flash, and have a college background in developing for the platform.
Now among the reasons why Flash is so popular is because it's a safe bet that the end user has it installed. Silverlight is still hit-or-miss at this point, even given its exclusive use for video streaming of the Olympics. In order for Microsoft to attack this, the simplest way to ensure that the majority of users have it is to roll it out as a Windows Update, which they do...as an optional install, lest Adobe's legal department scream bloody murder about Microsoft being anticompetitive. So, Microsoft is stuck doing stuff like the Olympics.
To get the Developer side back, they'd need to develop both a Windows and a Mac version of Expression Studio. The Mac version was ditched after the first release, for whatever reason (Wiki had no insight, maybe Mary Jo does?). The Expression Studio cost $599 retail, which is the same price as the upgrade version of the Adobe Creative Suite Web Premium, and more expensive then the $399 upgrade for Web Standard (though admittedly both full-version suites are more expensive). To make a dent in the Flash Developer market, Microsoft would have to "dump" their software, selling full version suites for like $49 or something like that, *and* write 101 textbooks for the suite, *and* weasel their way into college classrooms that otherwise teach Flash *and* train professors who have years of experience (and a nontrivial amount of them also having an ABM mentality). They'd have to do all of that on the developer end, do something shady to get Silverlight rolled out everywhere, and still have money left over to pay for the time in court that the DoJ and EU will be counting down hours and minutes to file, because somehow, some way, when one de facto monopoly (Adobe) goes up against another de facto monopoly (Microsoft), bucks to beans that somehow Adobe will be seen as the victim.
Joey
A tad long but...
Nicely done.
Needs to be 3rd party
to be 3rd party, not MS or Apple? For all the bashing, Adobe is a
pretty amazing company? I live in their products & overall they serve
very well.
There WAS a very very good viable third party solution to many Adobe
products in Creature House -- they had graphics software that was
better in many ways than anything currently available? and then
<sigh>, they got bought by MS which made the software into their
Expressions (adjective deleted in respect for tender ears). Essentially
MS (once again) took a really good product and killed it. We'd all be a
lot better off if Creature House had been able to get venture capital
and continue with their superb products.
How About Posting With Something Besides Safari?
'Tard...
Browsers. This is the [i]only[/i] site that this is an issue on. What make
users look like idiots is ill-informed post, not malformed posts. So to fix
that for you; "Drives me crazy that the mediocre ZDnet team can't
make a Web standards complaint site. People that post here are
generally idiots."
Posted with Chrome ....
all FOSS software has severe limitations, so if it
is Webkit, it just confirms how not-ready-for
prime time FOSS software is.
Oh, Wait, Chrome Works, so it is Safari. Who's the 'tard now?
you acquired your jerkiness from years of
conceited practice.
Try getting a life.
@PMC-CON
works. So who's the uninformed 'Tard? Hmmmm
Microsoft Expression...
using it since ver 2 and I'm very happy. it's also at a far more sensible
price point than the awful and bloated Dreamweaver and Flash.
Photoshop has become a bloated POS. The best version was 7. Had
the right balance of tools and balance. Illustrator is probably the only
decent "cant live without" piece of Adobe software. InDesign is alright.
I still prefer Quark. As for competition on the Mac; Pixelmator does
what most web desiners need or one could always opt for Acorn. For
Development there is the [i]AMAZING[/i] TextMate, or if web is what
you are about exclusively there's the excellent Coda and Espresso. The
amount of independant developers working on Mac apps id
astounding, as is the quality of these apps...
I wouldn't mind that...
So what you're suggesting is that another company come up with design tools for both Windows and Mac, plus a player plugin for windows/mac/linux/android/winmo/iPhoneOS/WebOS that is more secure than either Flash or Silverlight, publish textbooks, weasel their way into classrooms, and do all of this at no more than half the price of Flash Professional.
If you design it, Carrie, I promise I'll buy a copy just on principle, and I'll do my best to spread the word to every developer I know.
In reality though, the circumstances obviously make the barrier to entry extremely high, to the point where you almost need someone like Microsoft or Google to do it, because it's too late to "get big fast". If a startup tries this, they will bleed for a fairly long time, until Flash starts losing ground. Even that will take a while, as long as Youtube uses it.
Joey
Because Adobe don't own the OS that most people use.
Flash, you'd probably see [i]them[/i] getting in trouble.
That would replacing bad with worse
That would replacing bad with worse
There's always Java.
penetration already, is free, and is stable on all
OSs.
Also there's a lot of material and training
available for it already, and it has uses outside
of the browser world, meaning skills from other
areas carry over a lot, as opposed to Flash and
the like.
Java works well for programmers...
Joey
???
whatever the same way regardless of what they're
having someone write the program in?
re: zero competition
Sorry, I didn't read the previous rambling which may have said the same
thing.
So I DON'T find it amazing...
their mobile devices.