Adobe apologises for unpatched Flash vulnerability
Adobe has taken the bull by the horns and officially apologised for not fixing a flaw in the Flash plug-in which has been known since 2008. The problem can cause a total browser crash and is due to a null-pointer dereferencing flaw when repeatedly loading a URL via a Flash applet.
While the flaw can't be exploited to compromise a system, Adobe say that reports about such problems are taken very seriously – they are (usually) given very high internal priority. The vendor says web page developers should never be able to crash a browser via ActionScript or other methods.
Emmy Huang, the product manager for Adobe Flash Player, explains in her blog that the flaw slipped through the developer's net because they were in the final pre-release phase of Flash Player 10 when the report came in. She said that, unfortunately, it was then decided to close the flaw in the next release – which is version 10.1, whereas what Adobe should have done was to mark it for the next security release. So far only a beta of this version has become available, although it does contain a fix for the flaw. In addition, Adobe apparently neglected to inform Matthew Dempsey, the developer who discovered the hole, about the proceedings.
The incident seems to lend credence to Apple's plan not to integrate the Flash Player into the iPad. According to Steve Jobs, the Flash Player is too flawed and Adobe is too lazy. Jobs said that nobody will be using Flash and that the world is switching to HTML5, which supports audio and video without any plug-ins.
- Flash Player 10 released, a report from The H.