Subscribe to
Computerworld Adobe claims it knew of 'Pwn to Own' bug
Patch done, says security team, but won't be released until later this month
Active Comments
 The Security Zone
With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones
|
April 3, 2008 (Computerworld) Security researchers at Adobe Systems Inc. claimed that they knew of a Flash bug before it was used to crack a Windows Vista laptop last week in the "Pwn to Own" hacker challenge.
Late yesterday, Adobe also said it had fixed the flaw and would patch the problem this month.
"After some internal investigation, we found that via our ongoing response and security testing process, we were aware of the issue and had fixed it for our security update coming in the next Flash Player update later this month," said Erick Lee, the manager of Adobe's secure software engineering team, in a post to the group's blog.
3Com Inc.'s TippingPoint unit, which ponied up the cash prizes awarded for hacking a MacBook Air and the Vista-powered Fujitsu laptop, acquired the vulnerabilities as part of the deal and reported them last week to Apple Inc. and Adobe.
At the CanSecWest security conference last Friday, Shane Macaulay, a consultant at Security Objectives, claimed a $5,000 prize by compromising the Fujitsu Ltd. machine using an exploit of the Flash vulnerability that Lee said had been known and fixed. According to TippingPoint, Macaulay took several hours to work up an attack, his difficulties caused by some of the defense-in-depth measures added by Microsoft Corp. to Service Pack 1 of Vista.
Neither Macaulay nor TippingPoint have discussed the Flash bug in more than general terms.
Lee downplayed the threat posed by the bug Macaulay used. "Adobe is not aware of any active exploits in wild," he said. "The security researchers have reported the information to us responsibly, giving the Flash Player team time to investigate and deliver a patch."
That patch will be issued as part of a previously scheduled update to Flash Player that is to intended to, among other things, fix a longstanding problem posed by .swf files, the Adobe proprietary Shockwave Flash format. The .swf bug, which was reported in December by a Google Inc. researcher, has left thousands of Web sites vulnerable to cross-site scripting attacks.
More than three weeks ago, Adobe alerted users that a Flash Player update was coming. Although it said the patches would not affect end users, it warned Web site designers and administrators that they would need to make numerous changes to how they deliver Shockwave Flash content or risk their sites "breaking" when the April update lands on users' desktops.
Adobe was not immediately available to answer questions about when it first knew of the bug and why it had not released it earlier.
Today's Top Stories
Resource Alerts
Webcasts
Web Threats Don't Discriminate
The Secure Web Gateway. Mission Critical For Business
Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare
Editor's Picks
Clues point to Jan. 13 release of Windows 7 beta
Microsoft releases Vista SP2 beta
Obama's DHS pick may find support for raising H-1B cap at confirmation hearing
IBM wants info from Apple execs in Papermaster case
License server glitch exposes SonicWall users to e-mail security threats
Report: Former AOL chief exec tries to raise funds to buy Yahoo
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
|
 |
|
Patrick Thibodeau: Satellite images of U.S military bases Which is more important? Helping terrorists or protecting military bases? Answer: protecting Web 2.0 ... [more] |
| White Papers  Read up on the latest ideas and technologies from companies that sell hardware, software and services. | ||||||
|
