Safari's 'disable Flash' feature does less than it promises

Safari's 'disable Flash' feature does less than it promises

Summary: This week Apple rolled out a new version of Safari and announced that the update will "disable out-of-date versions of Adobe Flash Player." Too bad the actual update doesn't do what it promises.

SHARE:

This week Apple rolled out a new version of Safari that includes a security-related feature aimed at Mac OS X 10.6 (Snow Leopard) and OS X Lion.

If you read Apple's official announcement, you might think that Safari 5.1.7 will protect you from exploits that target vulnerabilities in outdated versions of Adobe Flash Player. That would be a fine feature indeed, except that Apple's more detailed documentation says it does no such thing.

Here’s the description from the support bulletin describing the new release:

About Safari 5.1.7

Safari 5.1.7 for OS X Lion and Safari 5.1.7 for OS X Snow Leopard disable out-of-date versions of Adobe Flash Player.

Out-of-date versions of Adobe Flash Player do not include the latest security updates and will be disabled to help keep your Mac secure. If Safari 5.1.7 detects an out-of-date version of Flash Player on your system, you will see a dialog informing you that Flash Player has been disabled. The dialog provides the option to go directly to Adobe's website, where you can download and install an updated version of Flash Player.

That certainly sounds definitive. Safari 5.1.7 will "disable out-of-date versions of Adobe Flash Player." No qualifiers, no exceptions listed.

But hold the phone:

The text I just quoted is from Apple’s support document HT5271. That document does not link to the separate, more detailed bulletin (HT5282) titled “About the security content of Safari 5.1.7,” which includes this short paragraph at the end:

Note: In addition, this update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory. This update presents the option to install an updated version of Flash Player from the Adobe website.

Well, that's very different. If you have an out-of-date version of Adobe Flash Player installed on your Mac, it will be disabled only if its version number is earlier than 10.1.102.64.

That version was released for OS X and delivered via Apple Software Update as part of Mac OS X 10.6.5 and Security Update 2010-007 on November 10, 2010.

In other words, if you installed Flash Player 10.1.102.64 on your Mac in November 2010 (or later), Apple considers your installation “up to date.”

That was more than 18 months ago. Since that time, Adobe has delivered 17 Flash Player updates that affected the Windows, Macintosh, and Linux platforms. (Back in March I assembled an up-to-date list, which you can check for yourself.)

The most recent Flash Player update was released on May 4. If you have not yet installed version 11.2.202.235, on whatever your platform of choice is, your Adobe Flash Player is out of date.

If you last updated Flash in early 2011, you could be 16 versions behind. And yet, despite the seemingly definitive, no-qualifiers-included statement in that Apple security bulletin, Safari 5.1.7 will not disable your out-of-date version of Flash Player.

What’s going on here?

Flash Player 10.1.102.64 is indeed a major milestone release, the last version that Apple delivered via its own update mechanisms. Beginning in October 2010, Apple stopped bundling Flash Player with new Macs and required Mac users to get updates directly from Adobe.

With that November 2010 update, Apple officially washed its hands of any responsibility for Flash Player, even on systems where it installed and delivered the software originally.

This week’s announcement is bizarre. Any reasonable person who reads it will think, justifiably, that Apple has stepped boldly into the breach to protect Safari users and block them from falling prey to potentially outdated Flash Player versions. But that's not the way it works.

It's a mystery to me why Apple chose to make this change or to announce it in such a misleading way. My guess is that in the wake of the Flashback debacle someone in Cupertino looked at the company’s potential liability for older versions of the Flash Player that it delivered and decided that something had to be done. This was the solution they chose.

Actually, it’s a shame that Apple didn’t do with Safari 5.1.7 what bulletin HT5271 says they are doing. Windows users finally have an auto-update mechanism for Flash Player, which means (at least in theory) that security updates are delivered within 24 hours of their release by Adobe. OS X users don’t yet have a comparable mechanism (Adobe says they’re working on it), so a warning delivered within the browser would be a good thing.

Meanwhile, the Flash Player code in Google’s Chrome browser is automatically updated along with the browser itself. If you use Chrome on a Mac, you don’t need to worry about vulnerabilities in out-of-date Flash Player versions.

See also:

Topics: Operating Systems, Apple, Enterprise Software, Hardware, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion
  • Why did Apple not disable Flash Player versions prior to version 10.3?

    Adobe added auto-update notification to Flash Player 10.3 on OS X back in May, 2011. Flash Player version 10.1.102.64 precedes Adobe's auto-update notification. Ouch!

    More here:

    http://blogs.adobe.com/asset/2011/05/advancing-flash-player-privacy-and-security.html
    Rabid Howler Monkey
  • Because

    Apple is making sure you're not running an old version that they, Apple, installed. If you personally installed a later version then it was up to you to keep it updated. Not wonderful but not a bad position.

    Personally for those of us supporting multiple computers in businesses these silent auto updates are creating problems. Just wait till the owner/partner's presentation suddenly goes haywire hours before the big presentation to the potential multi-million $ contract. Been there. Have the hat.
    raleighthings
    • If that's what they're doing, they should say so

      That's not what they say. "Safari 5.1.7 for OS X Lion and Safari 5.1.7 for OS X Snow Leopard disable out-of-date versions of Adobe Flash Player. ... Out-of-date versions of Adobe Flash Player do not include the latest security updates and will be disabled to help keep your Mac secure."

      Meanwhile, just wait till the owner/partner's machine is pwned by a Flash-based exploit and his bank account is suddenly drained hours after the big deposit of the multi-million $ check...
      Ed Bott
      • Yes but there's a difference

        "Meanwhile, just wait till the owner/partner's machine is pwned by a Flash-based exploit and his bank account is suddenly drained hours after the big deposit of the multi-million $ check... "

        It will happen because of actions taken by THEM or their support staff. NOT by Apple.

        As I said, Apple is removing what they did. If you put in something later it is your responsibility to clean it up.

        Now could Apple change Safari to do better checking? Yes. But at what cost. These constant "XXXXXXX is out of date and should be replaced immediately..." is making more and more business (and home) users turn them off. And the silent updates of the day that make you relearn your browser buttons, break your banks web site, whatever, are doing much of the same. Want to see some folks throw a fit, have something critical to their life stop working because of a silent update. Also have the hat for that one. Along with a lost night of sleep recently. And the updates fixed nothing for them that would have been a problem.

        We're in a broken process and there's no easy way out as all the best practices mean everyone has to stand up and say we've been wrong for the last 10 or 20 years. And no company is going to hand that marketing slogan to their competitors.
        raleighthings
      • I agree with you, Ed.

        The lawyers wrote this one. It is better than nothing but the misleading statements are for the 24th circle of hell.
        techvet
      • @raleighthings, you just don't get it

        You say, "As I said, Apple is removing what they did."

        No. They are not. They are LEAVING what they did. They installed 10.1.102.64. IT IS HORRIBLY OUT OF DATE AND INSECURE. And yet they are leaving it installed while claiming to disable "out-of-date versions of Flash."

        It's really hard to defend this one. You're going to need to work much, much harder.
        Ed Bott
    • I wonder what problems exactly

      Whilst Java update might break functionality, I am not aware of breaking functionality on flash player.
      sjaak327
  • Embarrassing!

    This is worse than any security "response" I've heard from any other vendor over the years.

    On the other hand, it's exactly like Apple. Smoke and Mirrors. It's not technically a lie, but it's deceitful at the same time to suggest that it will really protect users.

    Meanwhile, I've been sharing these articles with Mac-loving friends, and they all make excuses about how it's either false or they just ignore it as if it will never happen to them.

    I guess it must be nice to live with your head buried in the sand.
    GoodThings2Life
    • Unless they are really patient with you

      They'll probably start avoiding you, being as obnoxious as you claim to be. What a hero, well, no.
      ego.sum.stig
      • My thoughts exactly......

        Ed and most of you commenters seem to be the experts, so please direct me toward a sight known to cause malice. I haven't encountered bugs on any of my Macs (never) or my Windows machine since around 2002 or 03. If it's really that dangerous I want to know where the bad activity is at. I have a few friends who use Mac and many more (no surprise) using Windows neither has seen any of the dangers you describe in years and most of the people on Macs are either not that concerned or feel you downright lie. please provide us proof of the virus and let us know what site or sites are most likely to give us the virus. None of us have encountered anything in the wild.
        partman1969@...
  • I somehow

    Got 10.3 something on Mountain Lion DP3 (12A193i). If I remember correctly, this was the flash player that youtube linked me to. That is indeed also an older version, you would expect that a freshly downloaded flash player would indeed be the latest one !

    Anyway, the more recent flash control panel applet (or preference pane on OSX) is a step forward but... why the hell doesn't it update the flash player (kind of like the Java control panel applet) when you press the check now button ? Now it redirects you to the about flash player page on Adobe's website where they list the most recent version per platform, and you then are given a link to update the player. It would have been much better if the check now button checks the installed version with the latest version, and if different update it without the user having to manually click a few times.
    sjaak327
    • Flash v10 is still supported

      Flash v10 is frozen at a final build, 10.3.183.10 I believe.

      I certainly wouldn't use it unless I had a compelling reason, and it's odd not to be offering version 11.
      Ed Bott
      • RE: Flash v10 is still supported

        Flash Player 11 is supported only on OS X 10.6 and 10.7. It does not support OS X 10.4 and 10.5. Flash Player 10.3 is the only option for OS X 10.4 and 10.5. More here:

        "Why does Flash Player prompt me to install an incompatible version on Mac?
        Dec 1, 2011
        http://forums.adobe.com/thread/931724

        Is Adobe still maintaining Flash Player 10.3 for OS X 10.4 or 10.5? I don't know, but one can still download it.

        If one is running OS X 10.4 or 10.5, it's time to upgrade OS X or buy a new Mac, if one can. There are no more Apple security updates, including Java security updates (per Ed's recent blog articles).

        P.S. Flash Player 10.3.183.10 was released in September, 2011.
        Rabid Howler Monkey
  • Umm, Ed .. my Adobe Flash player has a Check for updates automatically

    feature. This is not the same, I guess, that you meant for Window's users of Flash. (My understanding of your wording is that there is NO action required by a Windows user to update his Flash plugin. And that this Flash update mechanism for Window's users operates in the background without giving any warning that it is happening. Is that correct?)

    On my Lion OS X system (with Flash plugin 11.2.202.235), I have had several Adobe Flash update action requestor windows pop up announcing an update is available and then I am given the option to go ahead and update Flash. As a user, I have to manually click on the update button to initiate this update process.

    Actually, I prefer this method better than having updates occur in the background without a user's knowledge (like Google's Chrome browser).

    PS .. I'm not sure which version of OS X Flash enabled automatic checking for updates but I have updated my version of Flash several times using the above describe process.
    kenosha77a
    • Different things

      Both Windows and Mac versions of Flash got update notifications starting in May 2011. with 10.3.181.14. That was five updates after the version targeted in this Safari update.

      Beginning in March 2012, the Windows version of Flash offers users the ability to update automatically. It's an opt-in feature. If you look at the screens from my earlier posts, you'll see that the user can choose to download but not install automatically:

      http://i.zdnet.com/blogs/eb-flash-auto-updater.png

      http://i.zdnet.com/blogs/eb-flash-auto-update-settings.png

      The trouble with notifications alone is that many people ignore them because they're annoying. The auto-updates don't require a reboot and are the ideal solution for nontechnical users who are most likely to ignore anything that forces them to download and install something manually.

      For sophisticated users who prefer to install updates on their own terms, that option remains.

      Automatic updates similar to the feature as implemented in Windows will be included for Macs in a future release of Flash Player.
      Ed Bott
      • It must be hard sometimes.

        I've never had a job where some people disagreed with everything I said for no other reason than it was me that said it. What's that like?

        Why don't you write about the sun rising in the morning. The same pinheads will call you a lying Microsoft shill, say you have do idea what you're talking about, and that Apple invented the concept of AM sunshine.
        pishaw
  • And Apple's teething problems continue

    This smacks of MS Swiss cheese fondue (en francais: deja vu) all over again. Only they're coming to grips with these PITA responsibility ropes a decade later. I guess it proves, as in all things, what goes around comes around, eventually.

    Wonder what the latest "Get a Mac" advert would look like circa 2012. Would the bumbling PC be giving the unflappable Mac a tip or two on how to circle the wagons effectively? Would Mac listen -- or simply resort to another snarky (but very hip) quip? Odd how fiction can mirror facts in the real world, even when reversed.

    Welcome to the security big leagues Cupertino. With all your recent coups, you earned it. ;)
    klumper
    • PC would turn to Mac and Say

      Flash blows, right?

      Mac: Amen. And what's with the mustache. You're looking like a deranged millionaire.
      DannyO_0x98
    • Justin Long would be sporting a few bruises and bandages

      --
      Patanjali
  • Not Sure

    Since I have been keeping up with Flash updates, the gap doesn't affect me. But, Flash is an Adobe product, Apple stopped bundling in Flash with Snow Leopard, and the unilateral removal of obsolete Flash from those systems would break the web for those who use Safari and who didn't pay attention to keeping Flash updated. When all is said and done, what percent of the install base would be affected by Apple going a different way?

    Also, doesn't moving the plug-in initiate the request for a new download when a Flash-powered site is visited? Should Apple really be deleting user files?

    Way back when, we had a comment meme that went like this: Microsoft would do something about security, someone would complain, and the rejoinder was "Well, you'd criticize Microsoft if they didn't do this... Microsoft can't win."

    I don't know if this is the same, but Apple did something and you, for good reasons, preferred they do something else, but I don't think you have the cost-benefit calculations nor have thought about the consequences of full removal. Did Adobe pay for Flash's inclusion? Did Apple pay? If someone paid, there was a contract and, climbing further out on a speculative limb, a contract may be exerting some force over this less than ideal situation.

    In the Rime of the Ancient Apple User, Flash will make a good update for an albatross. I wonder if there's a class action suit to be pursued on behalf of me and fellow Mac users whose fans wore out early from Flash's CPU hoggery.
    DannyO_0x98