Adobe acknowledges the 80 Flash Player bugs found by Google
Posted on 16 August 2011.
Following Adobe's latest release of patches for a number of its products, a discussion was started by Google researcher Tavis Ormandy who claimed that he himself has notified the company of some 400 holes he found in its Flash Player, but that Adobe has failed to give credit where credit is due.

In fact, Adobe has listed only 13 holes in Flash Player in the recent release, and failed to document others.

The discussion continued as some of Google's researchers (including Ormandy) revealed that the bugs in questions were found by fuzzing.

"The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following Adobe's initial triage. As these bugs were resolved, many were identified as duplicates that weren't caught during the initial triage," they explained.

"No analysis was performed to determine how many of the identified crashes were actually exploitable. However, each crash was treated as though it were potentially exploitable and addressed by Adobe. In the final analysis, the Flash Player update Adobe shipped earlier this week contained about 80 code changes to fix these bugs."

After an initial silence on the matter, Adobe decided to offer an explanation. According to Computerworld, the company admitted that Ormandy had reported some 80 bugs in Flash Player, but defended their decision of not list all the vulnerabilities in the released security bulletins by saying that it usually doesn't reveal or mention vulnerabilities found internally - by them or their partners.

Also, the question is whether all those 80 flaws would lead to an exploitable hole. As far as Adobe is concerned, only holes get a CVE number.






Spotlight

Using Hollywood to improve your security program

Posted on 29 July 2014.  |  Tripwire CTO Dwayne Melancon spends a lot of time on airplanes, and ends up watching a lot of movies. Some of his favorite movies are adventures, spy stuff, and cunning heist movies. A lot of these movies provide great lessons that we can apply to information security.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Jul 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //