Adobe Systems Inc. apologized over the weekend for letting a 16-month-old bug in Flash Player languish without a patch, even though it updated the popular plug-in four times since the flaw was reported.
The bug was fixed, said Adobe, in the beta of Flash Player 10.1, which was released last November. The final version of Flash Player 10.1, however, will not ship until later this year.
Security researcher Matthew Dempsky first reported the Flash vulnerability Sept. 22, 2008, according to Adobe's public bug tracking database. When exploited, the flaw causes Internet Explorer 6 and 7, and Firefox and Safari 3 to crash; in other browsers, the browser stays up while Flash Player goes down.
Although browser and plug-in crashes may seem reƖative innocuous, they're valuable to attackers, who are often able to devise a way to inject malicious code after an application's crash, said Andrew Storms, director of security operations at nCircle Network Security Inc.
More: http://www.computerworld.com/s/article/9153520/
The bug was fixed, said Adobe, in the beta of Flash Player 10.1, which was released last November. The final version of Flash Player 10.1, however, will not ship until later this year.
Security researcher Matthew Dempsky first reported the Flash vulnerability Sept. 22, 2008, according to Adobe's public bug tracking database. When exploited, the flaw causes Internet Explorer 6 and 7, and Firefox and Safari 3 to crash; in other browsers, the browser stays up while Flash Player goes down.
Although browser and plug-in crashes may seem reƖative innocuous, they're valuable to attackers, who are often able to devise a way to inject malicious code after an application's crash, said Andrew Storms, director of security operations at nCircle Network Security Inc.
More: http://www.computerworld.com/s/article/9153520/