April 16, 2008
"Flash vulnerability" story
"Flash vulnerability" story: I'm bumping this up to my weblog, because OS News requires membership for comments, and their source, Thomas Ptacek, has not yet published the comment I submitted. The Mark Dowd paper describes an issue which was addressed in the current Player, v9.0.124. None of the numerous paragraphs describing the horrors seems to mention this, and because these blogs don't support open comments, they may not hear unless they get publicly called out on it. It'd be better if they had open conversations on their weblogs, though... would serve their readers better.
Update 9pm PDT: The Ptacek/Matasano link got picked up by Microsoft's Larry Osterman, via Robert Hensing. Neither has advised their readers that this vulnerability is addressed in the current Player. I do not see the full story in comments at OSNews, although Ben Lucyk got it in a trackback there. (Thanks, Ben!)
Check out the comments at Matasano and OSNews... lots of "proprietary garbage" type of prejudice. The reality is that these people are not harvesting information effectively, not analyzing their harvested information effectively, and not responding to feedback effectively.
Update Thu Apr17 8am PDT: ZDNet Security Blog ran with the story last night. The guy spent paragraphs writing about basketball games and his mother, but never even checked Adobe sources to see the problem was already addressed. He is part of the problem which must be fixed... our world is taken up too much by those who speak too much, yet do not listen, do not question.
(Thanks to "Skila", a member of OSNews, who added in comments "This was fixed in the latest version of Flash Player - released 8 April 2008 so this is olds not news.")
Followup: I got an internal email last night that the ZDNet reporter did mention "new version" down towards the bottom of his text.
Update Sat Apr 19, noon PDT: It seems that most of the conversation now is focusing on the vulnerability in coding practices, rather than the Flash aspects... Computerworld had the "Adobe already fixed it" datum as the first sentence in the fourth paragraph, and with this highlighting, subsequent reporters have followed suit. Even the Slashdot discussion is more about the coding than about the Player.
I want to emphasize that the original discoverer, Mark Dowd, did act in good faith -- he notified Adobe security, and published his whitepaper only after the Player changes were public. He helped everyone by handling this the way he did. (I also understand how the early bloggers were excited by the coding acrobatics, but I wish they had clearly advised concerned readers to keep their software current. The increasing moderation of useful blog comments is a separate issue. No blame, just room for increased openness.)
Update Mon Apr 21 8am PDT: Most of the followup reports do a little bit of research, but today's BBC account is another lengthy personal reaction to the Matasano paper and the new type of coding exploit, and despite its length and extraneous details, does not advise readers that they should just update to the software already available. (Meanwhile, in comments below, the original popularizer wants me to retract that I submitted a comment there which was not published, even though he hasn't published it yet, nor amended the article to include the vital non-inflammatory news that the vulnerability was addressed before the publicity.)
Posted by JohnDowdell at April 16, 2008 2:25 PM