Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security

August 10th, 2011, 14:57 GMT · By

Researcher Claims Adobe Is Trying to Hide Flash Player Patch Size

SHARE:

Adjust text size:


Researcher and Adobe disagree on number of patched Flash vulnerabilities
Enlarge picture
Google security engineer Tavis Ormandy claims the "several improvements" he is credited for in the latest Flash Player security bulletin are actually 400 vulnerabilities.

"Adobe patched around 400 unique vulnerabilities I had sent them in APSB11-21 as part of an ongoing security audit. Not a typo," the researcher wrote on Twitter.

"Apparently that number was embarrassingly high, and they're trying to bury the results, so I'll publish my own advisory later today," he added.

Ormandy's comments prompted a response from Wiebke Lips, senior manager of corporate communications at Adobe, who appeared to question the researcher's claims.

"Tavis, please do not confuse sample files with unique vulnerabilities. What is Google's agenda here?" the spokeswoman wrote in a tweet that she later deleted.

Ormandy replied that this has nothing to do with Google and he just wants recognition for his work. He also claimed that he tried unsuccessfully to get confirmation from Adobe for the past two days that they won't misrepresent the number of vulnerabilities.

The reactions from other security researchers have been mostly positive, with Ormandy being congratulated for his work. "You going to do a blog post? Would be interested to see some of the details. Great work!" said fellow researcher Mark Dowd.

"400 is a huge number so congrats to you and your team! Hope that Adobe is paying Google a few millions to audit Flash ;-)" commented VUPEN's Chaouki Bekrar.

Other security experts were amused by the apparent quarrel between Ormandy and Adobe, pointing out that this is not the first time when the Google engineer generates controversy.

"Google's laissez-faire mentality with regard to @taviso's personal research leads to some hilarious situations. It is fun to watch," said Aaron Portnoy, TippingPoint's security research team manager.

Adobe released Flash Player 10.3.183.5 as a security update yesterday. The accompanying security bulletin listed thirteen critical vulnerabilities but none of them were credited to Tavis Ormandy.

TELL US WHAT YOU THINK:

1,216 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Critical Security Update Available for Flash Player and Adobe AIR
New Chrome Update Includes Patched Flash Player
Security Researcher Slams Sophos Antivirus as Substandard

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use