14 DAY TRIAL // Adobe released the much expected update that would fix the problem pointed out by a Stanford University student, which revealed to the world that any website administrator can easily spy on his customers using a bug in the Flash Settings Manager.
According to V3, Adobe blamed the communication error between them and Feross Aboukhadijeh, the one who discovered the issue, on the fact that the student sent his findings to an employee that was off duty at the time.
They mention that the information was supposed to be sent to their incident response team instead.
"The email with the report was sent to an Adobe employee who has been on sabbatical. The issue was not reported to the Adobe Product Security Incident Response Team (PSIRT), which is the contact for all vulnerability reports," revealed a company spokesman for V3.
Because the actual update process was required on their servers, users don't have to apply any patches or updates manually.
The story broke out when Feross Aboukhadijeh found that an older issue which allowed any webmaster to spy on his sites visitors was only partially fixed.
The initial problem allowed someone to take over our webcams and microphones by placing the Adobe Flash Setting Manager inside an iframe, that when clicked, could enable the devices.
By adding only the settings SWF file to an iframe, he was able to bypass the framebusting JavaScript code that was supposed to patch up the hole.
Fortunately, the correction was made fairly fast, before too many potentially criminal masterminds could deploy the findings.
It's highly unfortunate that these situations keep showing up, but at least vendors are acting quickly to solve the problems. Recently, Opera encountered the same scenario, where a year-old bug was endangering their customers well-being, by allowing a remote attacker to execute arbitrary code.