ID: IRCNE2011081216
Date: 2011-08-17
According to “ZDNET”, Adobe is fessing up to fixing much, much more than the 13 documented vulnerabilities in the latest critical Flash Player update.
Following an accusation from Google security researcher Tavis Ormandy that the company buried the fact that it patched a whopping 400 Flash Player vulnerabilities, Adobe security chief Brad Arkin admitted the patch “contains about 80 code changes” for fix flaws identified by Ormandy’s team.
Arkin explains:
We didn’t allocate any CVEs because we viewed this testing as part of the SPLC that spans the joint engineering efforts with the Google Chrome team. This led to some confusion since the Google security team has a different approach to CVE allocation.
The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following the initial triage. As these bugs were resolved, many were identified as duplicates that weren’t caught during the initial triage. In the final analysis, the Flash Player update we shipped earlier this week contains about 80 code changes to fix these bugs.
Ormandy, a high-profile researcher who has a history of controversial vulnerability disclosures, originally claimed his team sent 400 unique Flash Player vulnerabilities to Adobe as part of an ongoing security audit but there’s no documentation on these fixes in the new update.
- 2