Adobe claims it knew of 'PWN 2 OWN' Flash bug
Security researchers at Adobe
Systems Inc. claimed that they knew of a Flash bug before it was used to
crack
a Windows Vista laptop last week in the "PWN To OWN" hacker challenge.
Late Wednesday, Adobe also said it had fixed the flaw and would patch the problem
this month.
"After some internal investigation, we found that via our ongoing response
and security testing process we were aware of the issue and had fixed it for
our security update coming in the next Flash Player update later this month,"
said Erick Lee, the manager of Adobe's secure software engineering team, in
a post
to the group's blog.
3Com Inc.'s TippingPoint,
which ponied up the cash prizes awarded for hacking
a MacBook Air and the Vista-powered Fujitsu laptop, acquired the vulnerabilities
as part of the deal and reported them last week to Apple Inc. and Adobe.
At the CanSecWest security conference last Friday, Shane Macaulay of Security
Objectives claimed
a US$5,000 prize by compromising the Fujitsu using an exploit of the Flash
vulnerability Lee said had been known and fixed. According to TippingPoint,
Macaulay took several hours to work up an attack, his difficulties caused by
some of the defense-in-depth measures added by Microsoft to Service Pack 1 of
Vista.
Neither Macaulay nor TippingPoint have discussed the Flash bug in more than
general terms.
Lee downplayed the threat posed by the bug Macaulay used. "Adobe is not
aware of any active exploits in wild," he said. "The security researchers
have reported the information to us responsibly, giving the Flash Player team
time to investigate and deliver a patch."
That patch will be issued as part of a previously scheduled update to Flash
Player which is to, among other things, fix a long-standing problem posed by
.swf files, the Adobe proprietary Shockwave Flash format. The .swf bug, which
was reported
in December by a Google Inc. researcher, has left thousands of Web sites
vulnerable to cross-site scripting attacks.
More than three weeks ago, Adobe
alerted users that a Flash Player update was coming. Although it said the
patches would not affect end users, it warned Web site designers and administrators
that they would need to make numerous changes to how they deliver Shockwave
Flash content or risk their sites "breaking" when the April update
lands on users' desktops.
Adobe was not immediately available to answer questions about when it first
knew of the bug and why it had not released it earlier.
» posted by abennett
Computerworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
VMware ESX Server in the Enterprise
By Edward L. Haletky
Published Dec 29, 2007 by Prentice Hall.
Enter now! | Official rules | Sample chapter
Green IT
By Toby Velte, Anthony Velte, Robert C. Elsenpeter
To be published Oct. 10, 2008 by McGraw Hill Professional
Enter now! | Official rules | About the book
