We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Adobe apologises for not patching 16-month old Flash bug

Bug fixed in Flash Player 10.1 Beta

Adobe has said sorry for not patching a 16-month-old bug in Flash Player, despite updating the the popular plug-in four times since the flaw was reported.

The bug has been fixed, said Adobe, in the beta of Flash Player 10.1, which was released last November. The final version of Flash Player 10.1, however, will not ship until later this year.

Security researcher Matthew Dempsey first reported the Flash vulnerability September 22, 2008, according to Adobe's public bug tracking database. When exploited, the flaw causes any browser equipped with Flash Player 9 and later to crash.

Although browser and plug-in crashes may seem relatively innocuous, they're valuable to attackers, who are often able to devise a way to inject malicious code after an application's crash, said Andrew Storms, director of security operations at nCircle Network Security.

Dempsey has created a site that runs proof-of-concept attack code demonstrating the vulnerability. (Warning: The site will crash browsers equipped with current versions of Flash Player.)

Although the bug has been patched in Flash Player 10.1 Beta, it should have been fixed long before, an Adobe manager admitted.

"The mistake we made was marking this bug for 'next' release, which is the soon-to-be-released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release," said Emmy Huang, product manager for Flash Player, in a blog.

In the 16 months since Dempsey reported the bug, Adobe patched Flash Player four different times, once in late 2008, then again in February, July and December of 2009 .

Huang's excuse was that Dempsey reported the crash bug in the lead up to the release of Flash Player 10.

"Remember that Flash Player 10 shipped in October 2008, so when this bug was reported we were pretty much locked and loaded for launch," she said.

"I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again," Huang said. "It slipped through the cracks, and it is not something we take lightly."

Huang also called crash bugs, which some vendors dismiss as second-class vulnerabilities, 'serious 'A' priority bugs', and added that Adobe's policy is that "ActionScript developers should never be able to crash Flash Player".

ActionScript is the scripting language supported by Flash.

Flash Player 10.1 Beta 2, available for Windows, Mac OS X and Linux , includes the patch for Dempsey's crash bug, and can be downloaded from Adobe Labs' site.

An Adobe spokesman today declined to specify a release date for Flash Player 10.1, sticking to the company's earlier timeline of final version availability sometime in the first half of this year.

See also: Adobe helps Flash developers build Apple iPad apps

IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia