BT

Adobe Apologizes for Long Lasting Flash Crash Bug

| by Dio Synodinos Follow 4 Followers on Feb 09, 2010. Estimated reading time: 2 minutes |

Emmy Huang Product Manager for Adobe Flash Player has apologized publicly about a Flash bug that resulted in browser crash, that although has been reported 17 months ago, no patch has been released for the production version of Flash player yet.

Emmy insisted that crash bugs are a #1 priority for Adobe and suggested that a proper patch hasn’t been deployed for such a long period of time because of a failure on behalf of Adobe to prioritize incoming bug reports:

The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.

As a result, Emmy says that “the [Flash] team is actively reviewing all unresolved crash bugs” at this moment.

The bug is still present in the current production version of Flash and the fix is only available in version 10.1 beta.

During this long period that the bug has been disclosed, mochimedia has published a page which demonstrates the problem [link intentionally omitted] and gives an explanation about the nature of the bug:

If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.

There's also a write-up from Matthew Dempsky who developed the proof of concept exploit [link intentionally omitted]:

This page exploits a bug that I reported to Adobe in September 2008, and has affected every release of Flash on every platform since then. Despite numerous email exchanges with the Flash product manager about the bug, the bug report being hidden from the public for "security" reasons, and Adobe CTO Kevin Lynch's claims otherwise, it continues to be an issue.

BugTraq also had a post by Matthew dating back to October 2008:

On 2008.09.22, I submitted this issue to Adobe's JIRA bug tracking system, which recorded it as issue #FP-677. On 2008.09.23, the ticket was changed to private for security reasons, and Adobe told me they were able to reproduce the issue and were investigating it. On 2008.09.26, I told Adobe I planned on submitting this issue to BugTraq and asked if they had found any workarounds for users that I could include. On 2008.10.01, they told me they had resolved the problem and that a fix will be included in the next public update, but they did not provide any workarounds.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Adobe CTO quote missing, btw has Adobe stopped approving blog comments? by Peter Thomas

There's an important piece missing in this article. A recent quote from Kevin Lynch, Adobe CTO:
Regarding crashing, I can tell you that we don't ship Flash with any known crash bugs, and if there was such a widespread problem historically Flash could not have achieved its wide use today. [..] Addressing crash issues is a top priority in the engineering team, and currently there are open reports we are researching in Flash Player 10.
It was this quote that triggered the whole "pointed out by the community" phenomenon - as Emmy charmingly puts it.

And has Adobe stopped approving comments across blogs.adobe.com? Emmy's blog post is an example, and "Following the open trail" at "Open at Adobe" is another.

Doesn't sound very "open" to me :P

Re: Adobe CTO quote missing, btw has Adobe stopped approving blog comments? by Brian Edwards

You beat me to it!

Re: Adobe CTO quote missing, btw has Adobe stopped approving blog comments? by Emmy Huang

Hi,

The comments are open on my blog. No one has commented. People seem to prefer tweeting these days. Also, Dave's blog filtered the comments to spam, so it took him a while to approve them. They're all approved now.

best,
Emmy
Group Product Manager, Adobe Flash Player

Toyota-style realls? by george naing

When will software vendors be liable to recalls as in auto industry?

george
ethicminds.blogspot.com/

Re: Adobe CTO quote missing, btw has Adobe stopped approving blog comments? by Charles Gehman

Proof that Steve Job's widely quoted "Adobe is Lazy" comment is absolutely right on the money.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

5 Discuss
BT