Emmy Huang Product Manager for Adobe Flash Player has apologized publicly about a Flash bug that resulted in browser crash, that although has been reported 17 months ago, no patch has been released for the production version of Flash player yet.
Emmy insisted that crash bugs are a #1 priority for Adobe and suggested that a proper patch hasn’t been deployed for such a long period of time because of a failure on behalf of Adobe to prioritize incoming bug reports:
The mistake we made was marking this bug for "next" release, which is the soon to be released Flash Player 10.1, instead of marking it for the next Flash Player 10 security dot release. We should have kept in contact with the submitter and to let him know the progress, sorry we did not do that. Having that line of communication open would have allowed him to let us know directly that it was still an issue. I intend to follow up with the product manager (or Adobe rep) who worked on this issue to make sure it doesn't happen again. It slipped through the cracks, and it is not something we take lightly.
As a result, Emmy says that “the [Flash] team is actively reviewing all unresolved crash bugs” at this moment.
The bug is still present in the current production version of Flash and the fix is only available in version 10.1 beta.
During this long period that the bug has been disclosed, mochimedia has published a page which demonstrates the problem [link intentionally omitted] and gives an explanation about the nature of the bug:
If a Flash 9 SWF loads the same URL twice with the first returning a Flash 7 SWF and the second time returning a Flash 8 SWF (or vice-versa), the Adobe Flash Player plug-in will attempt to dereference a null pointer, crashing the browser.
There's also a write-up from Matthew Dempsky who developed the proof of concept exploit [link intentionally omitted]:
This page exploits a bug that I reported to Adobe in September 2008, and has affected every release of Flash on every platform since then. Despite numerous email exchanges with the Flash product manager about the bug, the bug report being hidden from the public for "security" reasons, and Adobe CTO Kevin Lynch's claims otherwise, it continues to be an issue.
BugTraq also had a post by Matthew dating back to October 2008:
On 2008.09.22, I submitted this issue to Adobe's JIRA bug tracking system, which recorded it as issue #FP-677. On 2008.09.23, the ticket was changed to private for security reasons, and Adobe told me they were able to reproduce the issue and were investigating it. On 2008.09.26, I told Adobe I planned on submitting this issue to BugTraq and asked if they had found any workarounds for users that I could include. On 2008.10.01, they told me they had resolved the problem and that a fix will be included in the next public update, but they did not provide any workarounds.