After sending out the usual laundry list of bug fixes for its Flash Player yesterday, Adobe is coming under pressure from Google security engineer Tavis Ormandy who claims the update only listed 13 of the approximately “400 unique vulnerabilities”… A number he describes as “embarrassingly high”.

Ormandy claims he sent the bugs to be fixed “as part of an ongoing security audit” and, according to a report from Computerworld, was “upset that he was not credited for his bug reports”. After noticing he hadn’t received credit in the patch, he took to Twitter to address his concerns, prompting Adobe’s senior manager of corporate communications to tweet the following:

“Tavis, please do not confuse sample files with unique vulnerabilities. What is Google’s agenda here?”

Ormandy responded, also in a tweet, saying:

“I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”

Hours before the patch officially rolled out, Google launched the latest version of Chrome 13 and 14, which included the Flash Player patch in question, and was accompanied by the following statement from Google:

“The Chrome Team would especially like to thank Tavis Ormandy, the Google Security Team, and Google for donating a large amount of time and compute power to identify a significant number of vulnerabilities resolved in this release of Flash Player.”

Adobe did credit 10 other researchers in the report accompanying the update, but had only this to say about Google and Ormandy’s work:

“Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release.”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

4 Responses to “Google engineer claims Adobe hid “embarrassingly high” number of Flash Player bugs”

  1. I dislike all things Adobe! From their “rip-off” license models to crappy bug filled software. To bad Jobs couldn’t put a fork in them once and for all.

  2. scofield says:

    Indeed. I think That's why adobe pop up the update box every several days.

  3. jjj says:

    Want to see an Adobe product full of security holes? Check out CQ5, aka ADEP.

  4. fail says:

    Adobe Flash Player must die.