Adobe patched 13 critical bugs in its nearly-ubiquitous Flash Player this week, but came under quick criticism from a security engineer who works for Google, a close partner of Adobe.
Although Adobe listed a baker's dozen of bugs fixed in the patched Flash, Google employee Tavis Ormandy took to Twitter to contest that number. "Adobe patched around 400 unique vulnerabilities I had sent them in APSB11-21 as part of an ongoing security audit," Ormandy said on Twitter. "Not a typo."
APSB11-21 is Adobe's designation for the security bulletin that accompanied the revised Flash Player.
Lack of credit
Ormandy was apparently upset that he was not credited for his bug reports in the bulletin, which while giving a nod to 10 researchers, said of Google and Ormandy only that "Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release."
In response to Ormandy's first tweet on the topic, Adobe's senior manager of corporate communications, Wiebke Lips, also used the micro-blogging service. "Tavis, please do not confuse sample files with unique vulnerabilities. What is Google's agenda here?" asked Lips.
"I don't know what Google's agenda is, but my agenda is getting credit for my work and getting vulnerabilities documented," countered Ormandy, who in a follow-up message, accused Adobe of trying to " bury the results" because his tally of 400 was "embarrassingly high." He also promised to issue his own advisory later.
Others chimed in as well with their own observations.
"Google's laissez-faire mentality with regard to @taviso's personal research leads to some hilarious situations. It is fun to watch," said Aaron Portnoy, manager of HP's TippingPoint security research team, in a twitter post of his own.
As Portnoy hinted, Ormandy is no stranger to controversy. Last year, Ormandy and Microsoft traded shots when he went public with a zero-day vulnerability he'd uncovered in Windows XP before Microsoft was able to rush out a patch.
There were clues earlier in the day of a possible spat between Google and Adobe. Several hours before Adobe released the Flash Player update, Google released new versions of the "stable" and "beta" builds of Chrome 13 and Chrome 14. Both included a patched version of Flash Player.
On the blog announcing the new versions of Chrome, Google said, "The Chrome Team would especially like to thank Tavis Ormandy, the Google Security Team and Google for donating a large amount of time and compute power to identify a significant number of vulnerabilities resolved in this release of Flash Player."
When asked to jibe Google's statement of identifying "a significant number of vulnerabilities" with Adobe's note that Google and Ormandy contributed "several improvements" to Flash, Lips responded.
"We regularly work with security vendors and other key partners (including Google) on projects and treat the improvements made as a result of those projects as internal findings," Lips said. "It is our policy not to disclose details about internal findings in our security bulletins."
Holding hands with Google
She also said, "Adobe has an ongoing cooperation with Google," and added that her company "greatly appreciates the assistance of the Google Chrome team." Google has been packaging Flash with Chrome since April 2010, and remains the only browser maker to bundle the plugin with its own releases.
This Flash update was the first since Adobe pushed out a pair of emergency fixes two months ago. Adobe has patched Flash seven times so far this year.
In the APSB11-21 security bulletin, Adobe tersely listed the 13 vulnerabilities, describing five as "memory corruption" bugs, another five as "buffer overflows" and three as "integer overflows." All are considered critical, Adobe said, adding that it is not aware of active exploits for any of the bugs.
Like Apple, Adobe doesn't rate flaws with a set threat scoring system. Instead, it uses the phrase "could lead to remote code execution" to tag vulnerabilities that if successfully exploited, could let hackers plant malware on the computer or device.
Adobe credited 10 different researchers for reporting as many vulnerabilities.