Friday, September 17, 2010

CVE-2010-2884: Flash 0-Day Patched in Chrome 6.0.472.62

http://www.adobe.com/support/security/advisories/apsa10-03.html

We now expect to provide an update for Adobe Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems on Monday September 20, 2010. A fix is now available for Google Chrome users. Chrome users can update to Chrome 6.0.472.62. To verify your current Chrome version number and update if necessary, follow the instructions here. We expect to provide updates for Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 for Windows and Macintosh during the week of October 4, 2010.

-----------------------------------------------------------------------------------------------------------------

Why does Google Chrome have a fix before everyone else?

Brad Arkin, Senior Director, Product Security & Privacy for Adobe Systems, answered just that question on Twitter tonight.

According to Brad, it is a simply a question of regression testing.

Remember back in March, when it was announced that Adobe Flash would be built into Google Chrome? Well, this is one of the possible effects...

Chrome is supported on 3 platforms and Adobe Flash supports 60 platforms. Fewer platforms means less testing, which means less time needed for regression testing of patches.

As Brad points out in this tweet, in a 0day situation, Adobe doesn't want to hold back a fix for Chrome users just because it is still testing an updated Adobe Flash Player.

The results? Chrome gets its fix first.

No comments:

Post a Comment