Adobe Suck
Friday 15th January, 2010 12:54 Comments: 4
A number of people seem to think that Adobe will have a rough year. I'm not surprised, their products seem to have a shocking number of vulnerabilities. But what amazed me was how slow they are at fixing things. Yes, the delay in producing a patch for the Doc.media.newPlayer method vulnerabilty in Adobe Reader was probably the wrong decision. But if you thought a few weeks was bad, how about this:
Secunia Research 12/01/2010
Microsoft Windows Flash Player Movie Unloading Vulnerability
Before anyone says anything, it's only a Microsoft issue because they included Flash in Windows XP. They didn't make that mistake again in future operating systems.
5) Time Table
18/10/2007 - Vendor notified.
18/10/2007 - Vendor response.
01/11/2007 - Microsoft states that the vulnerability is fixed by the patches released in MS06-069.
02/11/2007 - Vendor informed that MS06-069 does not fix the vulnerability, which was tested against a fully patched system.
23/11/2007 - Vendor contacted (status update requested).
23/01/2008 - Vendor contacted (status update requested again).
05/02/2008 - Vendor informed that due to no response to status requests an advisory will be published in two weeks).
05/02/2008 - Vendor response (vulnerability successfully reproduced and asks for coordinated disclosure).
07/02/2008 - Vendor informed that disclosure will be coordinated.
18/03/2008 - Vendor provides status update.
02/05/2008 - Vendor provides status update (waiting for Adobe).
15/08/2008 - Status update requested.
19/08/2008 - Vendor provides status update (coordinating with Adobe).
15/06/2009 - Status update requested.
22/06/2009 - Vendor response (working on a solution).
20/11/2009 - Status update requested. Vendor also informed that disclosure of the advisory won't be postponed for much longer.
30/11/2009 - Status update requested again.
30/11/2009 - Vendor response (coordinating with Adobe on recommending users to install the latest version of Adobe Flash Player instead).
07/12/2009 - Vendor informed that Secunia has scheduled the advisory for disclosure on 12th January 2010.
15/12/2009 - Vendor response (more time requested along with draft of Secunia advisory).
21/12/2009 - Draft of Secunia Research advisory sent to the vendor. Vendor also informed that disclosure won't be postponed.
07/01/2010 - Vendor informs that an advisory will be released on 12th January 2010 at the same time as the Secunia advisory is published.
12/01/2010 - Public disclosure.
So Adobe have had since 2007 to fix this issue, or at the very least co-ordinate the disclosure in the form of an advisory even if there is no fix. In the end Secunia chose to disclose the vulnerability, which forced Adobe into releasing their own advisory. Sure, most XP users have probably already upgraded to the latest version of Flash 10, but some (especially corporate users?) might be on the old and vulnerable version. Why Adobe? Why? Why does it take you forever (years!) to do anything? Why are your products so buggy? Why?
Secunia Research 12/01/2010
Microsoft Windows Flash Player Movie Unloading Vulnerability
Before anyone says anything, it's only a Microsoft issue because they included Flash in Windows XP. They didn't make that mistake again in future operating systems.
5) Time Table
18/10/2007 - Vendor notified.
18/10/2007 - Vendor response.
01/11/2007 - Microsoft states that the vulnerability is fixed by the patches released in MS06-069.
02/11/2007 - Vendor informed that MS06-069 does not fix the vulnerability, which was tested against a fully patched system.
23/11/2007 - Vendor contacted (status update requested).
23/01/2008 - Vendor contacted (status update requested again).
05/02/2008 - Vendor informed that due to no response to status requests an advisory will be published in two weeks).
05/02/2008 - Vendor response (vulnerability successfully reproduced and asks for coordinated disclosure).
07/02/2008 - Vendor informed that disclosure will be coordinated.
18/03/2008 - Vendor provides status update.
02/05/2008 - Vendor provides status update (waiting for Adobe).
15/08/2008 - Status update requested.
19/08/2008 - Vendor provides status update (coordinating with Adobe).
15/06/2009 - Status update requested.
22/06/2009 - Vendor response (working on a solution).
20/11/2009 - Status update requested. Vendor also informed that disclosure of the advisory won't be postponed for much longer.
30/11/2009 - Status update requested again.
30/11/2009 - Vendor response (coordinating with Adobe on recommending users to install the latest version of Adobe Flash Player instead).
07/12/2009 - Vendor informed that Secunia has scheduled the advisory for disclosure on 12th January 2010.
15/12/2009 - Vendor response (more time requested along with draft of Secunia advisory).
21/12/2009 - Draft of Secunia Research advisory sent to the vendor. Vendor also informed that disclosure won't be postponed.
07/01/2010 - Vendor informs that an advisory will be released on 12th January 2010 at the same time as the Secunia advisory is published.
12/01/2010 - Public disclosure.
So Adobe have had since 2007 to fix this issue, or at the very least co-ordinate the disclosure in the form of an advisory even if there is no fix. In the end Secunia chose to disclose the vulnerability, which forced Adobe into releasing their own advisory. Sure, most XP users have probably already upgraded to the latest version of Flash 10, but some (especially corporate users?) might be on the old and vulnerable version. Why Adobe? Why? Why does it take you forever (years!) to do anything? Why are your products so buggy? Why?
Fab - Monday 18th January, 2010 13:33
Does not suprise me. I have disliked Adobe products for years now as all I see is that their products are designed to be as inconvenient to the customer as possible! I just wish the general web wouldn't use them, maybe this year there will be a big switch away from them?
I can't see many people moving away from Flash for online videos, especially as it's supported on multiple platforms. Perhaps Silverlight will gain more market share, despite and perhaps more people will move to streaming MPEG4 data. PDF is another matter, perhaps we'll see people move back to RTF as it's arguably safer than Word and PDF files. Or text files, they're pretty safe.
Can't see the RTF or text thing happening. Sadly there just does not seem to be a decent commonly used alternative to PDF. Why did such a supposedly simple document reader become so laggy and bloated? I must abuse Chris about using the things too!
As for flash... Again another program that bloats and lags internet use as well as being useful for online videos. Firefox is actually quite good in the fact that it allows people to block most of the nonsense, I can see increased use of that function simply to protect users against poorly written code designed for the benefit of advertisers rather than the internet user.
As for flash... Again another program that bloats and lags internet use as well as being useful for online videos. Firefox is actually quite good in the fact that it allows people to block most of the nonsense, I can see increased use of that function simply to protect users against poorly written code designed for the benefit of advertisers rather than the internet user.
Hmm, just spotted that MS dragged their feet a bit with the latest IE patch, the vulnerability had been reported to them on August 26, 2009. It's much less of a risk on IE7/IE8 (especially with DEP enabled), anyone still using IE6 almost deserves to be hacked.