Page 4 of 4

Re: Adobe is not willing to fix Flash security issues.

Posted: Wed Feb 10, 2010 9:19 am
by timWebUK
They're a multi-billion dollar company, they're going to concentrate on a beta which will most likely make money.

"I sent them a pretty objective civil email if you ask me, with some light humor. Obviously you are wrong because we all filed bug reports that they promptly ignored."

Well obviously it wasn't as civil as you thought it was:

"We don’t intentionally ignore anyone, but, obviously we’re just people who’d rather investigate issues reported to us professionally." and... "After reading some of your all-caps comments,"

He said it, not me. Your whole email just came across to me as sarcastic and insulting - and I'm impartial, I don't work for Adobe and I haven't been involved in your investigation into the issue. It also come across that you know better than Adobe (even if you do, you won't get what you want if you're arrogant).

Doesn't harm to send a formal, polite email, explaining the issue in depth... if they ignore it, you send another and another and another, not hit caps lock and start insulting Adobe.

Re: Adobe is not willing to fix Flash security issues.

Posted: Wed Feb 10, 2010 1:18 pm
by josh
timWebUK wrote: "We don’t intentionally ignore anyone, but, obviously we’re just people who’d rather investigate issues reported to us professionally."
He wasn't even referring to me man LOL. I wrote to kaleisgreen no wonder adobe ignored *his* report.
and... "After reading some of your all-caps comments, He said it, not me. "
He said it therefore I did it? I like how that works ;-)
if they ignore it, you send another and another and another,
That's a bright idea. WHy didn't I think of that? Oh yeah I did. Only after 4 months of daily emails did I post it on the forum ONCE with an all caps thread title. Wow i'm so unprofessional and that somehow justifies Adobe's ignoring the issue. Yeah, right.

Anyways that guy wrote back. He basically said he empathizes and sides with us. Says hes always the one being confrontational about issues. Thinks adobe will loose $ from their ignoring of this very issue. He tried to escalate it but all he could do "get some guy in a cubicle to give a canned response". Sad.

Latest response from Mr Anon
“I think its funny also that your co-workers ignored my initial civil bug report. Then ignored my follow up ones that contained the all caps. Then *after* we raised a ruckus on the forums you finally come along and get them to kick it around some more.”



Yeah that is truly lame. The Adobe brand is suffering tremendously, in my opinion, because this company has disconnected from users and customers.



But it wasn’t because you raised more and more hell that I responded. It’s worse than that. I was going through some bugs and just happened to see your reports. If I hadn’t responded then likely you would never have heard a damn thing. Totally unacceptable.



I started off here when things were Macromedia. I was doing developer customer support, and I totally loved the connection with people. Over the years, I believe Adobe has lost that.



“You understand CSRF (cross site request forgery) right?

You understand from my earlier email that the not sending of the content type header allows CSRF?
And you understand that CSRF is a major security flaw.
And you understand that other web technologies ignoring of the content-type header does not justify Adobe willingly introducing a CSRF vulnerability onto peoples websites?”



As I said, my security-related experience is limited – limited to ************security on some of our ********products. And since these products were halted long before release, I never got the opportunity to really put security through the ringer. So, you can certainly fault me for responding to a security report without the proper security background, but I definitely thought I could take the issue to them and get some serious consideration on the matter.



I like how succinct you put the issue above. I’ll try a wide email list blast to see if anyone else can help out.



- Mr Anon

Re: Adobe is not willing to fix Flash security issues.

Posted: Thu Feb 11, 2010 6:07 am
by kaisellgren
I don't care much about this any longer, but I really love that they are aware of the issue yet have a couple of sites vulnerable to this. I've gotten 8 serials (worth about $9600) from Adobe customers so far, just to see how beneficial the issue could be. I haven't done any damage and I have no intention to do so, but someone eventually will.

Re: Adobe is not willing to fix Flash security issues.

Posted: Wed Feb 17, 2010 12:34 am
by John Cartwright
Just wanted to post a relevant link about upcoming versions:

http://blogs.pcmag.com/securitywatch/20 ... suppor.php