In a follow-up e-mail, a Symantec spokesman spelled it out in more technical detail. "The latest Linux player, when used to open the exploit file, would abruptly exit silently," said the spokesman. "Stack analysis revealed several internally-handled segmentation faults, which is not normally desired behavior for a program." That behavior, in fact, is often a sign of a successful exploit that then uses incorrect offsets or payload code, he added.
"Further research was unable to produce a successful full exploitation and Adobe confirmed that what we had observed was in fact expected and by design," the spokesman said.
For its part, Adobe stuck to its Wednesday claim that the current Flash Player 126.96.36.199 is not vulnerable. "This exploit does not appear to include a new, unpatched vulnerability as has been reported elsewhere," said Adobe spokesman Mark Rozen. "Customers with Flash Player 188.8.131.52 should not be vulnerable to this exploit."
Greenbaum said that spurious results on Windows test systems had also contributed to Symantec's claims that some versions of 184.108.40.206 were at risk. "We were also seeing compromises on the Windows side," he admitted, "on the latest version of Flash that we downloaded from Adobe's site." Later, Symantec's researchers realized that they had not downloaded an additional patch; when they did and retested, they found the Windows edition to be safe.
"We apologize for the confusion," said Greenbaum. But he defended the analysis, noting that changing updates are common in the security trade as researchers spend more time investigating a problem.
Adobe has recommended that Flash users double-check the version they're running and update to 220.127.116.11 if necessary. Adobe maintains an About Flash Player page that displays the current plug-in version from any browser. Users, however, must run the check for each installed browser.
Computerworld is an InfoWorld affiliate.