RSS Alerts

Share

More services

Related Links

Related Stories

  • Adobe issues quarterly patch
    Adobe distributed its first quarterly critical security update yesterday, finally patching a vulnerability that had been targeted by a zero day attack.
  • Adobe finally jumps on silent update bandwagon
    It's official — Adobe is releasing an automatic silent updater for its PDF Reader product on April 13. The company confirmed the news to Infosecurity US this week.
  • Sophisticated zero-day hits Adobe Reader
    More details are emerging of a zero-day attack on Adobe's PDF reader and Acrobat applications, and security experts are calling it highly sophisticated. Moreover, anti-malware tools have been woefully poor at spotting it.
  • Update software to reduce risk of cyber attack, top suppliers tell business
    Businesses are unnecessarily exposing themselves to cyber attack simply by failing to update to the latest versions of the software they are running, according to Microsoft and Adobe.
  • The battle of the internet browsers
    Browsers are the hackers’ window into your PC – but how are they compromised, and what are vendors doing to harden them? Danny Bradbury examines the techniques vendors are employing, and why user education is one of the primary solutions for increased security

Top 5 Stories

News

Adobe sorry for late Flash bug patch

10 February 2010

Adobe has apologized for a bug in its Flash Player that it has only just patched, 16 months after it was originally filed.

The bug was submitted to Adobe by researcher Matthew Dempsky in September 2008. It causes the Flash Player and browser to crash when a Flash 9 SWF returns two URLs in sequence containing a SWF file – the first designed for version 7 of Flash Player, and the second for version 8. The Flash Player plug-in attempted to deference a null pointer, which is what caused the crash.

There is no evidence that the bug could be used to exploit a computer, by running arbitrary code, for example, but Adobe's Flash Player product manager Emmy Huang apologized on her blog, arguing that the company takes "crasher" bugs seriously, and explaining that this one slipped through the cracks.

Huang explained that the bug was submitted after code had been frozen for version 10 of Adobe Flash Player, making it impossible to fix in that release.

"'The mistake we made was marking this bug for 'next' release, which is the soon-to-be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that."

The embarrassment couldn't come at a worse time for Adobe. Steve Jobs has been quoted as saying that Adobe is too lazy, and that its Flash player is too buggy. This has been posited as the reason that he did not integrate Adobe's Flash player into the recently-launched iPad, leading Adobe's platform evangelist Lee Brimelo to post an angry response showing a selection of sites that would not display correctly on the new Apple device.

The bug has now been fixed in Adobe Flash Player 10.1

This article is featured in:
Application Security • Compliance and Policy

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012