H-Online: Officially, Adobe’s current update for Flash Player has closed only 13 holes, but unofficially it is said to have closed several hundred. Security specialist Tavis Ormandy, who works for Google, claims that he discovered 400 holes and notified Adobe of them. The specialist has now complained that, while the holes have been closed, they haven’t been mentioned in the official advisory, and he hasn’t been given credit for their discovery.
Ormandy says that he plans to release his own advisory soon. Ormandy is quite a well-known security specialist; he regularly discovers critical software holes and, for instance, started a dispute with Microsoft last year.
Why Adobe has only mentioned 13 holes and left the rest officially undocumented is as yet unclear. One reason could be that Google and Adobe have agreed to co-operate in troubleshooting Flash Player. Flaws that are found in this context are probably treated as having been discovered internally – and Adobe’s guidelines state that such flaws are not mentioned explicitly in official advisories. Microsoft pursues a similar strategy for holes that are discovered internally.
Another issue of contention appears to be the point at which a flaw becomes a hole. In Adobe’s view, a hole apparently requires a CVE number and a PoC exploit, while Ormandy probably only reported “unique bugs”, most of which were discovered via fuzzing.
At least Ormandy receives adequate credits in Google’s release notes for the Flash update in Chrome 13.0.782.112: the Google Team said that it would like to thank Ormandy “for donating a large amount of time and compute power to identify a significant number of vulnerabilities”.