I'll walk you through how that worked out. It was about 10am, east coast time, on a Friday morning and a company contacted us, who we have a relationship with. They said we have seen this sample, it looks new, you might want to look into it.'
We took the sample and started working on it. We verified that this was a new problem and not a known bug that had impacted an old version. We said OK this is a zero-day, let's figure out where the flaw is and then figure out a response plan.'
We worked over the weekend to first identify the line of the code where the flaw was and develop a fix, test the fix to make sure it works, look around the code to see if there is anything similar that we need to fix, because we don't want to fix a problem and see that there is another one behind it.
So we did all of that work over the weekend and then once the code was set, the next step is getting the patch out to users. We have to test Flash Player inside a browser on top of a platform and there are 60 different combinations so it has to work on every single one.
On Monday we published the advisory saying we are aware of this issue and here is the schedule for the fix.' Then we continued to work on doing the patching.
On that Friday we finished testing Google Chrome on Windows, Linux and Mac and because Google Chrome has Flash Player bundled inside it we used a Chrome updater working with Google to push that patch out to users. So that came out Friday evening.
For a normal security update that is not an urgent situation we ship the patch for all platforms on the same day. This was a zero-day situation, we didn't want to delay getting a fix out and there is no benefit to users doing it all synchronised.
On the following Monday we were able to post the update for all users.
What was behind Adobe's decision to join the Microsoft Active Protections Program (MAPP) (a vulnerability information-sharing initiative)?
Microsoft launched the Active Protections Program publicly in 2008 and in early 2009 we started piloting different forms of information sharing with security vendors.
That pilot gave us a lot of feedback about how we could do the whole program. The feedback consistently was do more things like MAPP so we talked to Microsoft to learn about how they do MAPP and it made a lot of sense to just partner with Microsoft rather than reinvent the wheel.
The goal there, when we made announcement over the summer that we were publicly going to do that and started rolling information out through that chain this Fall, was rather than creating a second information channel to the security vendors, let's leverage something that is proven to work.
What have the benefits been of joining MAPP
It has been a positive step for us and it is something that is leveraging what we were doing around information sharing before. We are leveraging all the lessons learned that Microsoft has improved on in the last couple of years.
