Adobe acknowledges the 80 Flash Player bugs found by Google
Posted on 16 August 2011.
Bookmark and Share
Following Adobe's latest release of patches for a number of its products, a discussion was started by Google researcher Tavis Ormandy who claimed that he himself has notified the company of some 400 holes he found in its Flash Player, but that Adobe has failed to give credit where credit is due.

In fact, Adobe has listed only 13 holes in Flash Player in the recent release, and failed to document others.

The discussion continued as some of Google's researchers (including Ormandy) revealed that the bugs in questions were found by fuzzing.

"The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following Adobe's initial triage. As these bugs were resolved, many were identified as duplicates that weren't caught during the initial triage," they explained.

"No analysis was performed to determine how many of the identified crashes were actually exploitable. However, each crash was treated as though it were potentially exploitable and addressed by Adobe. In the final analysis, the Flash Player update Adobe shipped earlier this week contained about 80 code changes to fix these bugs."

After an initial silence on the matter, Adobe decided to offer an explanation. According to Computerworld, the company admitted that Ormandy had reported some 80 bugs in Flash Player, but defended their decision of not list all the vulnerabilities in the released security bulletins by saying that it usually doesn't reveal or mention vulnerabilities found internally - by them or their partners.

Also, the question is whether all those 80 flaws would lead to an exploitable hole. As far as Adobe is concerned, only holes get a CVE number.






Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Apr 17th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //