Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

Summary: Google information security engineer Tavis Ormandy accuses Adobe of burying the results of an ongoing security audit.

SHARE:

A high-profile Google researcher has accused Adobe of hiding the fact that it patched a whopping 400 unique vulnerabilities in yesterday's critical Flash Player update.

According to Tavis Ormandy, an information security engineer at Google who has a history of controversial vulnerability disclosures, the 400 unique Flash Player vulnerabilities were sent to Adobe as part of an ongoing security audit but there's no documentation on these fixes in the new update.follow Ryan Naraine on twitter

"Apparently that number was embarrassingly high, and they're trying to bury the results, so I'll publish my own advisory later today," Ormandy said on his Twitter feed.

Adobe's advisory that accompanies the Flash Player update does in fact acknowledge Ormandy's work:

Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release.

However, only 13 unique vulnerabilities are documented in the release and this prompted a series of snippy back-and-forth Twitter messages between Ormandy and Adobe spokeswoman Wiebke Lips.

"Tavis, please do not confuse sample files with unique vulnerabilities. What is Google's agenda here?" Lips said. (This Twitter message has since been deleted).

Ormandy's response:

"I don't know what Google's agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented."

Almost lost in the public spat is the fact that Adobe's ubiquitous Flash Player contains vulnerabilities that could lead to remote code execution attacks.  The security flaws, described as "critical," affect Adobe Flash Player 10.3.181.36 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 10.3.185.25 and earlier versions for Android.

"These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," Adobe warned.

Adobe also shipped separate advisories to warn about security holes in Shockwave, Flash Media Server, Photoshop and RoboHelp.

* See more from Computerword's Gregg Keizer on the Ormandy/Adobe spat.

Topics: Enterprise Software, Google, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Tavis Ormandy is an attention-seeking, obnoxious ******bag

    He's the guy who reported a bug to Microsoftand demanded that they commited to *his* schedule for a fix, even before they had a chance to analyze it (he reported it on a saturday).<br><br>When they could not commit to a schedule before 4 days he went public with vulnerability info. Barely 4 days later the bad guys started exploiting it.<br><br>When he was made aware that this was against the official policy of his employer (Google) who at the time supported responsible disclosure, he claimed that he publisized as a private person. A private person who used Google resources and discussed with Google employees.<br><br>The guy is a genuine *********, an attention-seeking nuisance.<br><br>And now he is at it again, claiming that he has been cheated out of his deserved attention.<br><br>Google, drop this guy. He is a liability.
    honeymonster
    • Ya, he is a bonifide goof.

      @honeymonster

      On the one hand perhaps we could sit around and extol the accolades of virtue on these GEEKS who love to proclaim they have discovered the end of the world but lets get down to brass tacks. Hes a MASSIVE goof who has decided if the rest of the world doesn't bow down and pay homage to his intellect and demands that he alone will wreck havoc upon the world. Kind of sounds like the maniacal cartoon character the RED SKULL.

      He should get a real genuine life and if he wants to help, then fine, help. But seriously, lose the delusions of grandeur and get a life. Adobe patches do not a life make.

      For anyone.

      Hey, try pushing this one on America has talent. I'm sure Howie will say, "You seem to be good at what you do, but the fact is that nobody cares and in the big picture it doesn't matter at all, and your the exact opposite of entertaining".
      Cayble
  • Google should help him...

    Google should fire his ass. Or better saying, help him make a name for himself by simplifying things and therefore encouraging him to begin his own startup.
    cameigons
    • Google should fire his ass?

      @cameigons

      Well, I'm all for progressive discipline, but ya, this GEEK is a moron. I admit, I feel sorry for those who have tied their life into their fascination with IT, and shunned normal human relations because no normal person likes IT as much as they do, they find women just don't generally want to sit around and listen how you found 400 vulnerabilities in Adobe, ...well for that matter does anyone find that a point of serious interest????

      This guy has to get a little bit real. Like it or not, he is not uncovering the Watergate scandal or discovering the secret of E=MC2.

      Get a life chum. Help out and be humble or leave it to the pro's who do not bind there self esteem to how many vulnerabilities they can find in Adobe.

      And I mean seriously.
      Cayble
  • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

    "The guy is a genuine *********, an attention-seeking nuisance."

    I don't know, be thankful he's telling Adobe and Microsoft about then instead of quietly selling them to the Russian mob.
    wkulecz
  • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

    Why does Google even bundle that security nightmare crap with Chrome? Anyways, I have flash disabled :)
    shellcodes_coder
    • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

      @shellcodes_coder That's what I'm talking about. I don't care that this guy wants his credit, but Adobe shouldn't lie about that many vulnerabilities. They should just own up to the fact that Flash is a poor excuse for a secure plugin. They continue to fail at making it safe, they should just give up.
      xamountofwords
  • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

    The guy seems so desperate to be famous :p

    Hmm, currently using the 11.0 beta version of flash and haven't seen an update for it :O Could it already be safe from these 400 threats :| doubt that.
    MrElectrifyer
    • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

      Beta 2 came out 2 days ago.
      Michael Alan Goff
    • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

      @MrElectrifyer - Gee, and everyone one of you ridicules Apple for not allowing Flash on their iOS. Hmmmm....wonder how much more you would have ridiculed Apple for including Flash!
      The Danger is Microsoft
  • Id bet there's thousands of undocumented security fixes in

    almost every flash security patch. They probably only document the ones that were previously publicly known. And I bet there are thousands more to come. Not using flash and not missing it...
    Johnny Vegas
    • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

      @Johnny Vegas and shellcodes_coder

      It depends on what you want from your internet. I'd guess that the majority of people who get online love those animations and movies (on the majority of web sites that don't yet support HTML5). Until HTML5 becomes the ubiquitous standard that web devs use, we're stuck with flash.
      BDAKiwi
  • anonymous should kill flash

    but that would probably mean that they could no longer hack anonymously... :^)
    walkerjian
  • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

    Adobe Flash is pathetic. Glad I don't have it on my iPhone or iPad!!
    rpsin
    • GOOD FOR YOU.

      @rpsin <br><br>Millions around the world get the fantastic benefits from flash but you,...you in your wise wisdom are so joyful and happy you don't. Good for you.<br><br>I'm sure it makes your life because the hundreds of millions around the world who do use flash are clearly blown offline and have no workable computers anymore because of flash?<br><br>MORON. Please try next time to make a statement that has some context to reality.<br><br>Are you that worried about security that you think having no flash is good? Wow You must be a member of the Department of Defence that cant even risk that one in one hundred million that a flash exploit will infiltrate your phone...<br><br>Goof.
      Cayble
      • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

        @Cayble
        Hey Cayble, I read a couple of your posts, and I think you should try:
        Growing up
        Learning to spell

        Flash has been way too buggy for way too long, roll on universal use of HTML5
        BDAKiwi
      • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

        @Cayble
        The fact of the matter is that Flash has always been buggy and people have always complained about it until Apple disallowed it on their phones and tablets. Now many of those same people I see here on ZDnet crow about it like its the most important thing since the microchip.
        Tigertank
  • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

    Make Apple like it now.
    trm1945
  • Bidsget;

    I just paid $22.87 for an iPad2-64GB and my girlfriend loves her Panasonic Lumix GF 1 Camera that we got for $38.76 there arriving tomorrow by UPS. I will never pay such expensive retail prices in stores again. Especially when I also sold a 40 inch LED TV to my boss for $675 which only cost me $62.81 to buy. Here is the website we use to get it all from, BidsGet.com
    kristine13
    • RE: Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

      @kristine13

      there really should be a report spam button for these s**theads
      shadowscrawl