Security researchers at Adobe Systems Inc. claimed that they knew of a Flash bug before it was used to crack a Windows Vista laptop last week in the "PWN To OWN" hacker challenge.
Late Wednesday, Adobe also said it had fixed the flaw and would patch the problem this month.
"After some internal investigation, we found that via our ongoing response and security testing process we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month," said Erick Lee, the manager of Adobe's secure software engineering team, in a post to the group's blog.
3Com Inc.'s TippingPoint, which ponied up the cash prizes awarded for hacking a MacBook Air and the Vista-powered Fujitsu laptop, acquired the vulnerabilities as part of the deal and reported them last week to Apple Inc. and Adobe.
At the CanSecWest security conference last Friday, Shane Macaulay of Security Objectives claimed a US$5,000 prize by compromising the Fujitsu using an exploit of the Flash vulnerability Lee said had been known and fixed. According to TippingPoint, Macaulay took several hours to work up an attack, his difficulties caused by some of the defense-in-depth measures added by Microsoft to Service Pack 1 of Vista.
Neither Macaulay nor TippingPoint have discussed the Flash bug in more than general terms.
Lee downplayed the threat posed by the bug Macaulay used. "Adobe is not aware of any active exploits in wild," he said. "The security researchers have reported the information to us responsibly, giving the Flash Player team time to investigate and deliver a patch."
That patch will be issued as part of a previously scheduled update to Flash Player which is to, among other things, fix a long-standing problem posed by .swf files, the Adobe proprietary Shockwave Flash format. The .swf bug, which was reported in December by a Google Inc. researcher, has left thousands of Web sites vulnerable to cross-site scripting attacks.
More than three weeks ago, Adobe alerted users that a Flash Player update was coming. Although it said the patches would not affect end users, it warned Web site designers and administrators that they would need to make numerous changes to how they deliver Shockwave Flash content or risk their sites "breaking" when the April update lands on users' desktops.
Adobe was not immediately available to answer questions about when it first knew of the bug and why it had not released it earlier.
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.
- Sponsored Resource:Are you ready for virtualization? Try the sever assessment tool.
- Sponsored Resource:Stay at home servers. Learn more about a home server for your family.
- Sponsored Resource:Get the communications, data, and security a business needs in one neat package. Learn more.
- Sponsored Resource:Learn more about ultra light notebooks from Asus and the best warranty in the industry.
- Sponsored Resource:Thinking about a new Laptop? Lenovo has models to meet everyone's needs.
- Sponsored Resource:Get the truth about remanufactured ink. Learn more from HP.
- Sponsored Resource:Six smart ways to grow small business IT
News For Your Business
- OS X Virus Described
- Study Paints Open-Source Software as a Security Risk
- Laptop Security: Keep the Bad Guys at Bay
- SecuriKey Professional Edition 2.1
- San Francisco's Mayor Gets Back Keys to the Network
Community Comments