Following Adobe’s latest release of patches for a number of its products, a discussion was started by Google researcher Tavis Ormandy who claimed that he himself has notified the company of some 400 holes he found in its Flash Player, but that Adobe has failed to give credit where credit is due.
In fact, Adobe has listed only 13 holes in Flash Player in the recent release, and failed to document others.
The discussion continued as some of Google’s researchers (including Ormandy) revealed that the bugs in questions were found by fuzzing.
“The initial run of the ongoing effort resulted in about 400 unique crash signatures, which were logged as 106 individual security bugs following Adobe’s initial triage. As these bugs were resolved, many were identified as duplicates that weren’t caught during the initial triage,” they explained.
“No analysis was performed to determine how many of the identified crashes were actually exploitable. However, each crash was treated as though it were potentially exploitable and addressed by Adobe. In the final analysis, the Flash Player update Adobe shipped earlier this week contained about 80 code changes to fix these bugs.”
After an initial silence on the matter, Adobe decided to offer an explanation. According to Computerworld, the company admitted that Ormandy had reported some 80 bugs in Flash Player, but defended their decision of not list all the vulnerabilities in the released security bulletins by saying that it usually doesn’t reveal or mention vulnerabilities found internally – by them or their partners.
Also, the question is whether all those 80 flaws would lead to an exploitable hole. As far as Adobe is concerned, only holes get a CVE number.