Adobe explains Flash Player hole count differences

Brad Arkin, Adobe's Director of Product Security and Privacy, has made an official statement about the accusations that Adobe omitted 400 security holes in its latest Flash Player update. The advisory only mentioned 13 security holes with official CVE (Common Vulnerability Enumeration) numbers; these numbers allow them to be uniquely identified.

However, Google security team member Tavis Ormandy complained that he had notified Adobe of 400 potential security holes that had not been listed in the advisory. Arkin said that the flaws weren't officially mentioned because they were discovered as part of Adobe's Secure Product Lifecycle (SPLC). The executive explained that Adobe doesn't assign CVE number to flaws that are discovered internally, and that CVE numbers are only intended for bugs which are publicly known. The same policy apparently applies if a bug is reported by a partner – and Google co-operates with Adobe, at least in terms of Flash Player security issues.

Furthermore, Arkin said that Ormandy found most of the flaws by fuzzing, which apparently caused 400 crashes, but could be reduced to 106 unique flaws. In the first official version of the advisory, Adobe did thank Ormandy and Google for their "great work on several improvements to this Flash Player release", but it appears that this acknowledgement wasn't enough for Ormandy. Adobe has now updated the advisory and explicitly added Ormandy in first place under CVE number CVE-2011-2424. This CVE number has been assigned to collectively reference Ormandy's reported flaws.

(djwm)