Skip to main content

audit

See All Stories

Google engineer claims Adobe hid “embarrassingly high” number of Flash Player bugs

Site default logo image

After sending out the usual laundry list of bug fixes for its Flash Player yesterday, Adobe is coming under pressure from Google security engineer Tavis Ormandy who claims the update only listed 13 of the approximately “400 unique vulnerabilities”… A number he describes as “embarrassingly high”.

Ormandy claims he sent the bugs to be fixed “as part of an ongoing security audit” and, according to a report from Computerworld, was “upset that he was not credited for his bug reports”. After noticing he hadn’t received credit in the patch, he took to Twitter to address his concerns, prompting Adobe’s senior manager of corporate communications to tweet the following:

“Tavis, please do not confuse sample files with unique vulnerabilities. What is Google’s agenda here?”

Ormandy responded, also in a tweet, saying:

“I don’t know what Google’s agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented.”

Hours before the patch officially rolled out, Google launched the latest version of Chrome 13 and 14, which included the Flash Player patch in question, and was accompanied by the following statement from Google:

“The Chrome Team would especially like to thank Tavis Ormandy, the Google Security Team, and Google for donating a large amount of time and compute power to identify a significant number of vulnerabilities resolved in this release of Flash Player.”

Adobe did credit 10 other researchers in the report accompanying the update, but had only this to say about Google and Ormandy’s work:


Expand
Expanding
Close

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications