So is the argument that Google should leave the vulnerability unpatched in its own browser until Adobe get around to patching it in their plugin for other browsers, so as not to publicize the existence of a vulnerability?<p>What if they have detected black hats exploiting the vulnerability. Should they sit on a fix?<p>What if they were building their own implementation of a programming language or tool. For example, what if they found a bug in JS that could be used to exploit browsers. Arethey allowed to fix the implementation in V8 or must they sit on it until everyone else patches JS in their browsers?<p>(These are sincere questions, not rhetoric. I am not a security professional, and I am fully aware that some things are more complicated in practice than they may appear from the comfort of an arm chair.)
Google probably didn't do it for fun but rather because it was being exploited in the wild and they were unwilling to delay protection for their users. As a user I appreciate this. Adobe needs to get their patch cycle and updating to Google's level ASAP.
What BS:<p>> <i>"Even Google isn't well-served by this; not everyone updates their Chrome version immediately, especially updates like this one which require that you restart the browser (and all running browser instances)."</i><p>Protip: Updating Flash requires the same thing. In fact, updating Flash will shut down <i>all kinds</i> of apps you have running, including <i>all</i> Flash-capable browsers and even some Flash-reliant native apps.
This is another area of the disclosure debate that will never get solved.<p>The only new thing here is the staggered updates. This article takes the stance that this is a bad practice, and operates off of the assumption that malicious users will use the patch to create an exploit. The flip side is, of course, that there already is an exploit in the wild and now chrome users are safe.<p>The reality of the situation is that both are true. Someone malicious already has the 0day and someone is going to reverse engineer the patch. You'll never know which is the better option short of scanning every single.swf, trafficked over every protocol on the internet to do a statistical analysis of the incidence rate prior to releasing the patch as well as attempting to predict how many new malicious swfs will pop up after the patch before adobe releases. Oh and predict the patch application rate, as well as the probability of exploited users along the long tail.<p>Oh, and thats only if your definition of "best" is least users compromised.<p>What about the relative value of targets as a factor in determining which patch release strategy is the better option. The RSA attack used a flash exploit embedded in an xls. Is 500 patched boxes at a hypothetical-RSA averting an attack worth 500,000 grandmas slow on the upgrade train compromised?<p>Welcome to the world of responsible disclosure. Its easy to understand how to maximize damage, minimizing it damn tricky.
I think it would serve the web well if Google bought Flash from Adobe and simply integrated an ActionScript 3.0 rendering engine into WebKit as an alternative language to Javascript.
They clarified their responsible disclosure policy here in 2010:<p><a href="http://googleonlinesecurity.blogspot.com/2010/07/rebooting-responsible-disclosure-focus.html" rel="nofollow">http://googleonlinesecurity.blogspot.com/2010/07/rebooting-r...</a><p>(tl;dr: 60 days for the vendor to it fix it).<p>Would like to know if they followed it in this case.
If it's a zero day vulnerability then the method to exploit it <i>is already in the wild</i>. Anyway, if this is anything like some of the previous vulnerabilities that chrome patched a few days before Adobe, it's just a case of Adobe's code going through a faster SQA process at google than it does at Adobe. Adobe obviously doesn't have a problem with the practice, so why should PC mag?