Apple gives Mac users vulnerable Flash Player plugin

Apple gives Mac users vulnerable Flash Player plugin

Summary: The Adobe Flash Player plugin that was included in yesterday's Mac OS X software update contains multiple vulnerabilities that expose users to malicious hacker attacks.

SHARE:

The Adobe Flash Player plugin that was included in yesterday's Mac OS X software update contains multiple vulnerabilities that expose users to malicious hacker attacks.

Apple shipped a new Flash Player plugin (10.0.45.2) in the Mac OS X patch bundle but that version became outdated on June 10th when Adobe shipped Flash Player 10.1.53.64.

The Flash Player 10.0.45.2 software contains 32 vulnerabilities, most rated "critical."   At least one of those flaws has been exploited on the Windows platform.

Apple plugs 28 Mac OS X security holes ]

Apple's outdated Flash Player plugin problem was flagged publicly by Adobe's Wendy Poland:

follow Ryan Naraine on twitter

Earlier today, Apple released security update 2010-004 / Mac OS X v10.6.4. This update includes an earlier version of Adobe Flash Player (version 10.0.45.2) than available from Adobe.com. While the Mac OS X v10.6.4 update does not appear to downgrade users who have already upgraded to Adobe Flash Player 10.1, Adobe recommends users verify they are using the latest, most secure version of Flash Player (10.1.53.64) available for download from http://www.adobe.com/go/getflashplayer.

To verify the Adobe Flash Player version number installed on your system (after applying the Mac OS X security update), Mac users can go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

If you use multiple browsers, Poland recommends you perform the check for each browser you have installed on your system.

Topics: Apple, Enterprise Software, Hardware, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

71 comments
Log in or register to join the discussion
  • This is Apple's fault and Apple's fault alone

    If Apple includes Flash by default, Apple takes responsibility for all of Flash's problems. End of story.
    NonZealot
    • RE: Adobe gives Mac users vulnerable Flash Player plugin

      @NonZealot

      Wrong. Apple didn't do anything wrong here. They prepped their release of their security update, which included the latest, Apple Tested version of Flash at the time. They were smart enough to NOT update the local flash version if it was a newer version then what they were going to install. I installed 10.1 the other day and 10.6.4 yesterday, and my flash version did not change.

      Just because Adobe finds an issue after Apple has prepped and tested their update, doesn't mean Apple has to go back now and delay their release so they can integrate the new version of Flash, then submit it back to their testers to make sure nothing new breaks.

      Again, Apple checks the already installed version and does NOT downgrade it. If you had a vulnerable version before, you have it still. If you updated your flash, you're OK.

      This is either Adobe being cautious, or trying to point fingers at Apple, or a little of both.
      tk_77
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @tk_77

        Isn't it a bit of a leap to say that Adobe's trying to point fingers at Apple? Nowhere does it say that Adobe was blaming Apple for not including the latest Flash Player.
        genericaccount
      • Mixed feelings about this

        @tk_77 In the Windows world, we have Microsoft SUS which does a good job of allowing us to push updates out to all the Windows clients on our network. The problem is, that it only pushes the updates for Microsoft products. <br><br>For the never ending series of Adobe Acrobat and Flash updates, we have to build our own patch files and push them out separately via group policy. And Adobe does not make it easy. Their automatic updaters don't work becuase our users do not have permissions to install software and also their patches for Acrobat are not cumulative. The other day I was installing a new machine and went directly to the Adobe web site thinking I would get the most current version of the Acrobat Reader. Wrong. After downloading and installing, it still needed to be patched up to the current level. <br><br>So I often wish that Microsoft would push out other vendor's patches so that we could deploy them through SUS just like the Microsoft stuff. but if they did that, they would now be coming under the same criticism as Apple because their latest patch Tuesday release didn't include the most recent "patch of the day" for Adobe Products.<br><br>I'm generally not a fan of Apple, but I do think they handled this one correctly. At least it appears that in no case did they make it worse for anyone than it already was.
        cornpie
    • RE: Adobe gives Mac users vulnerable Flash Player plugin

      @NonZealot So now you see why Steve Jobs is right about not supporting Flash on iPhone & iPad
      NaderBelaid
    • RE: Adobe gives Mac users vulnerable Flash Player plugin

      @NonZealot

      Flash needs to get with the program and include an auto-updater for all platforms, including OS X.
      RealNonZealot
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @RealNonZealot - I agree.

        Recent articles on zdnet and other sites have shown, outside of OS X, Flash is not so bad after all. However, Adobe would be doing themselves a lot of good to put in an auto-updater. It's technically not difficult to have the player see which browser and OS it's running under and grab the relevant code.

        http://www.zdnet.com/blog/perlow/web-video-showdown-flash-vs-quicktime-vs-windows-media/13176

        http://www.readwriteweb.com/archives/does_html5_really_beat_flash_surprising_results_of_new_tests.php

        http://blogs.msdn.com/b/sprague/archive/2007/01/18/java.aspx

        http://blogs.gartner.com/ray_valdes/2010/02/10/html5-and-flash/
        HypnoToad72
    • RE: Adobe gives Mac users vulnerable Flash Player plugin

      @NonZealot

      Du you have a life? why not live it somewhere else.
      781lc
    • RE: Adobe gives Mac users vulnerable Flash Player plugin

      @NonZealot You are such an arse wipe! Crawl into a hole and die already!
      The Danger is Microsoft
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @The Danger is Microsoft Humm pot talking to the kettle?
        ItsTheBottomLine
    • RE: Adobe gives Mac users vulnerable Flash Player plugin

      @NonZealot In a way I agree with you - Apple should have tested this more thoroughly and then taken Flash out of the patch. Also the things that needs to be taken from this is that this is even more proof that Adobe needs to get to work fixing their buggy and extremely vulnerable software and that Steve jobs was right about Flash and Adobe in the first place.
      athynz
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @athynz Steve Jobs shipped an outdated version of Flash, and that proves he was right about them in the first place?

        Flash suffers the same problem that Microsoft does, something that Apple has yet to achieve, and that is ubiquity.
        rtk
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @athynz - Steve Jobs. Apart from his avoiding the fact that OS X has a lot of holes as well,

        http://www.zdnet.com/blog/perlow/web-video-showdown-flash-vs-quicktime-vs-windows-media/13176

        http://www.readwriteweb.com/archives/does_html5_really_beat_flash_surprising_results_of_new_tests.php

        http://blogs.msdn.com/b/sprague/archive/2007/01/18/java.aspx

        http://blogs.gartner.com/ray_valdes/2010/02/10/html5-and-flash/

        He's told his figures for Flash performance solely regarding OS X and not for 90% of what the world uses, which is Windows. (the zdnet article deftly points out a few things.)

        Along with the other articles I've included, which includes one where he says Java will die (which hasn't and is still in use by many major companies), he's just being a marketer and using words to manipulate the market with.

        I've put Win7 on my MacBook Pro (mid-2009) and my Mac Pro, so for the latter I can finally upgrade the video card to an ATi 5870 and not wait for Apple to put out theirs (assuming they intend to). I prefer OS X, but I don't prefer Jobs' attitude on this whole escapade. He smudged some facts to provoke a cold war with Adobe, and even apologized in a loose way:

        http://www.tomsguide.com/us/Steve-Jobs-Adobe-Flash-HTML5,news-6944.html

        And since, with any programming language, poor coding is the root cause of most stability and other issues, any platform is only as strong as those who write for it take the time to do the work. Being cheap to get whatever out the door as quickly as possible leads to problems, and Adobe hardly started that trend...
        HypnoToad72
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @rtk Are you upset that Jobs was right about flash?

        In light of Job's understandable dislike of flash I'm surprised that a Mac patch had a flash installer/ update contained within it albeit an older version. But that an outdated version was present in the patch is not what proves jobs to be right.

        What proves that Jobs was right is the vulnerabilities present in Flash - and that it took over 6 months for them to fix prior issues. And that on a mobile platform it is a major battery hog.

        IMHO Apple should have tested the entire patch, found the flaws in Flash, ripped Flash out of the patch, and THEN shipped the patch out - and leave Flash out of the patch until Adobe gets it right.
        athynz
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @athynz Steve shipped an outdated version of Flash, that proves he's right about Flash? You sure you don't work for the government?

        He does the same thing with windows. Ships the crappiest, most bloated and crash prone software on Windows (namely iTunes) then turns the PR department on to advertise how crappy, bloated and crash prone Windows is.

        He's a marketer, obviously. You're an easy target to market to, obviously. Good for Steve, too bad for you.
        rtk
  • RE: Adobe gives Mac users vulnerable Flash Player plugin

    Apple pushed this out, not Adobe. They should have found vulnerabilities when they did internal tests and determined to include it in their package.

    At the end of the day, Apple appears to be at fault.
    AllAroundIT
    • RE: Adobe gives Mac users vulnerable Flash Player plugin

      @AllAroundIT

      As I posted above to the troll, how is this apples fault? Is Apple expected to debug all the 3rd party software they install with their system?

      No.

      Apple did right here. If you have an older version of Flash installed, they update it to the latest version they gave their testing to. If you have a newer version installed, they leave it be.
      tk_77
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @tk_77

        [i]Is Apple expected to debug all the 3rd party software they install with their system?[/i]

        Yes they are. That's part of the customer's expectations. I use Gentoo and I am damned mad that they let a package with a trojan horse in their repository. You should be no less mad if you use OS X.
        Michael Kelly
      • RE: Adobe gives Mac users vulnerable Flash Player plugin

        @tk_77
        If they are pushing out software they accept resposibility for it.
        Why they did a push of the non-latest I still do not understand. At the time of push if the current available version is > push version, don't.
        rhonin
      • This is always old news

        @Michael Kelly & Zenwalker... People were pointing about this one other time. If you preparing a patch to update a series of software, are you going to stop what you are doing, and go back to rework the patch because a new version of a 3rd party plugin was released just days before you push? No. As the previous poster pointed out, it brought people who are farther behind in Flash updates to the version just before 10.1, which means those users were already at risk with or without the patch.

        This is just simply fodder for the ABAers to scream about, which really means nothing at all.
        Snooki_smoosh_smoosh