Has Adobe patched Dempsky Flash bug? Not really…
An Adobe employee commented on a Mac Blorge article about the Dempsky (JIRPA FP-677, a.k.a CVE-2008-4546) Flash Player bug, saying that the issue had been remedied. Although there’s a patch out there, it seems that few know about it and that fewer still have installed it.
On Feb. 8, Mac Blorge reported on a longstanding Flash Player bug first uncovered by Matthew Dempsky back September 2008 that can crash any browser on the Mac, Linux and Windows. I said that the bug remained unpatched.
In a comment on this story, Adobe’s John Dowdell stated that the issue has been patched in Flash Player 10.1 beta, referencing a blog post from Emmy Huang (product manager, Flash Player) as proof thereof.
As has been pointed out by the community, there is an existing crash bug that was reported by Matthew Dempsky in the Flash Player bugbase (JIRA FP-677 a.k.a. CVE-2008-4546) in September of 2008 that still exists in the release players. It is fixed in Flash Player 10.1 beta, and has been since we launched the beta in early November 2009 [Ed — Since updated to beta 2]
Dowdell also snarkily quipped that I should check my facts before publishing such egregiously wrong information.
If a tree falls in the forest…
Well, there’s big difference between making patch “available” and pushing it out to users, encouraging them to actually download and install it. That is, much like the Polio vaccine, the cure is only good if everyone or nearly everyone has gotten the medicine.
That said, Flash Player 10.1 beta isn’t what Adobe is officially telling users to download. In fact, on the Download Flash page that one arrives at directly from the Adobe homepage , the company only lists v10.0.45.2 (current shipping version). Additionally, there is no mention of the JIRA FP-677 (CVE-2008-4546) issue or that users should seek out (no link or reference is provided by Adobe) Flash Player 10.1 beta 2 in order to obviate this long known hacker attack vector.
Furthermore, the final version of Flash Player 10.1 isn’t scheduled to arrive until the Summer and Adobe hasn’t said whether or not they will provide a patch for JIRA FP-677 (CVE-2008-4546) in an interim update. So, if you’re hoping that Adobe proper will push a more secure version of Flash Player, then you’re obviously going to have to wait or take matters into your own hands.
…makes no sound
Evidence that users aren’t getting this needed update comes from Stat Owl whose posted January data doesn’t register Flash Player 10.1 beta usage at all, meaning that users of this one “securish” version of the plugin didn’t yet represent 0.1 percent of the overall market. So, whereas v10.0.42 — the most recent version for which there is data — showed rapid adoption from December through January, v10.1 beta — which began shipping in November — hadn’t yet squeaked into view.
So, yes, there is a patch for the JIRA FP-677 (CVE-2008-4546) issue, and you can find and download it via the link provided above.
Nevertheless, for Dowdell and Huang to conclusively say the threat had been addressed even as Adobe proper continues to point users to an unpatched and thereby insecure version of Flash Player seems more than a little disingenuous…
What’s your take?
Related Posts:
