updated 02:20 pm EDT, Wed August 10, 2011
Google engineer claims number of fixes understated
On Tuesday, Adobe released a security update for its Flash plugin. The company claimed the release addressed 13 critical problems. A Google security engineer, Tavis Ormandy, has tweeted that Adobe understated the scope of the patch and the number of security-related bugs was closer to 400.
It's unclear if Adobe intentionally understated the vulnerabilities with Flash Player, or if Ormandy was merely upset that the company had not given him enough credit for his efforts. In its bulletin, Adobe gave specific credit to ten individuals, and identified the flaws which they had brought to its attention. Adobe also gave Ormandy and Google some general recognition, stating "Adobe would also like to thank Tavis Ormandy and the Google Chrome team for their great work on several improvements to this Flash Player release."
Although Ormandy's attitude appears his own, it could be representative of some sort of underlying tension between Google and Adobe. "Tavis, please do not confuse sample files with unique vulnerabilities," blogged Wiebke Lips, Adobe's senior manager of corporate communications. "What is Google's agenda here?"
Hints of this stress were visible in Google's announcement of its release of an update for its Chrome browser. Unlike other browsers, Adobe Player is tightly integrated into the app. It comes distributed as an integral component rather than as a separate, downloadable add-on. In its announcement, Google thanked its security team, and Ormandy for identifying and resolving "a significant number of vulnerabilities" in the included release of Flash Player.