Adobe Regrets for Not Fixing a Flash Bug
During the 1st week of February 2010, Adobe Systems Inc. regretted and offered apologies for not patching a Flash Player bug even after its existence for 16 months.
Security researchers first reported the Flash flaw on September 22, 2008. If exploited, it results in the crash down of Safari 3, Firefox and Internet Explorer 6 and 7. In other Web-browsers, the Flash Player collapses although the browser remains active.
Andrew Storms, Director of security operations, nCircle Network Security Inc. said that while plug-in and browser crashes might appear more or less harmless, attackers found them valuable. The reason was that such attackers knew how to push in malware following software crash, as reported by ComputerWorld on February 8, 2010.
Commenting on the problem, Emmy Huang, Product Manager for Flash, stated that the bug had been rectified in a 'beta' version of Flash that was supposed to be officially released later this year (2010), as reported by TheRegister on February 9, 2010. Ms. Huang further said that any of the security patches issued during the past 16 months should have addressed the flaw.
According to her, Adobe's mistake was that it reserved the flaw for the Flash Player 10.1 security update scheduled for release soon, rather than address it in the Flash Player 10 update, as reported by ComputerWorld.
Ms. Huang added that she was planning to consult the Adobe representative who took care of the problem to ensure that it didn't occur again.
She also stated that she wished to emphasize a policy of her company that they regarded crashes as most serious flaws. According to her, the Flash Player team believed that developers of ActionScript shouldn't ever let 'Flash Player' crash. In case a crash took place, Adobe described it as a bug as one which the company took extremely seriously.
Notably, a Adobe spokesman on February 8, 2010 refrained from telling the exact date for the Flash Player 10.1 release. He kept repeating that the final version would be issued sometime during January-June 2010, which the company had previously informed.
Related article: Adobe Rates Acrobat Vulnerabilities “Critical”
» SPAMfighter News - 15-02-2010