Adobe has acknowledged that an internal screw-up caused potentially dangerous serious Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.
"It slipped through the cracks," said Emmy Huang, a product manager for Flash Player. Adobe's mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.
Matthew Dempsey, the researcher who found and reported the flaw in September 2008, explains the issue:
If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.
Dempsey's code, which completely crashes the browser, was tested with Safari 3.1.2 and Firefox 3.0.1 with Adobe's Flash Player plug-in 220.127.116.11, 18.104.22.168, and 10.0.12.10 on OS X 10.5.4 and 10.5.5.
Adob's policy is that software crashes are serious "A" priority bugs.
"If a crash occurs, it is by definition a bug, and one that Adobe takes very seriously. When they happen, it can be the result of something going on purely within Flash Player, something in the browser, or even at the OS level," according to Adobe's Huang.
Huang said the issue was fixed in Flash Player 10.1 beta but was erroneously tagged to be fixed in the "next" release which meant that four different Flash Player 9 patches were released without this fix.
So what happened here? We picked up the bug as a crasher when it was filed on September 22, 2008, and were able to reproduce it. Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch. The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.
Adobe's Flash Player is among the most commonly exploited applications on Windows machine.