After sending out the usual laundry list of bug fixes for its Flash Player yesterday, Adobe is coming under pressure from Google security engineer Tavis Ormandy who claims the update only listed 13 of the approximately “400 unique vulnerabilities”… A number he describes as “embarrassingly high”.
Ormandy claims he sent the bugs to be fixed “as part of an ongoing security audit” and, according to a report from Computerworld, was “upset that he was not credited for his bug reports”. After noticing he hadn’t received credit in the patch, he took to Twitter to address his concerns, prompting Adobe’s senior manager of corporate communications to tweet the following:
“Tavis, please do not confuse sample files with unique vulnerabilities. What is Google’s agenda here?”
Ormandy responded, also in a tweet, saying:
“I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”
Hours before the patch officially rolled out, Google launched the latest version of Chrome 13 and 14, which included the Flash Player patch in question, and was accompanied by the following statement from Google:
“The Chrome Team would especially like to thank Tavis Ormandy, the Google Security Team, and Google for donating a large amount of time and compute power to identify a significant number of vulnerabilities resolved in this release of Flash Player.”
Adobe did credit 10 other researchers in the report accompanying the update, but had only this to say about Google and Ormandy’s work: