Did Adobe hide 400 vulnerability fixes in latest Flash Player patch?

Google information security engineer Tavis Ormandy accuses Adobe of burying the results of an ongoing security audit.
Written by Ryan Naraine, Contributor

A high-profile Google researcher has accused Adobe of hiding the fact that it patched a whopping 400 unique vulnerabilities in yesterday's critical Flash Player update.

According to Tavis Ormandy, an information security engineer at Google who has a history of controversial vulnerability disclosures, the 400 unique Flash Player vulnerabilities were sent to Adobe as part of an ongoing security audit but there's no documentation on these fixes in the new update.

"Apparently that number was embarrassingly high, and they're trying to bury the results, so I'll publish my own advisory later today," Ormandy said on his Twitter feed.

Adobe's advisory that accompanies the Flash Player update does in fact acknowledge Ormandy's work:

Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release.

However, only 13 unique vulnerabilities are documented in the release and this prompted a series of snippy back-and-forth Twitter messages between Ormandy and Adobe spokeswoman Wiebke Lips.

"Tavis, please do not confuse sample files with unique vulnerabilities. What is Google's agenda here?" Lips said. (This Twitter message has since been deleted).

Ormandy's response:

"I don't know what Google's agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented."

Almost lost in the public spat is the fact that Adobe's ubiquitous Flash Player contains vulnerabilities that could lead to remote code execution attacks.  The security flaws, described as "critical," affect Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player and earlier versions for Android.

"These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system," Adobe warned.

Adobe also shipped separate advisories to warn about security holes in Shockwave, Flash Media Server, Photoshop and RoboHelp.

* See more from Computerword's Gregg Keizer on the Ormandy/Adobe spat.

Editorial standards