This week Apple rolled out a new version of Safari that includes a security-related feature aimed at Mac OS X 10.6 (Snow Leopard) and OS X Lion.
If you read Apple's official announcement, you might think that Safari 5.1.7 will protect you from exploits that target vulnerabilities in outdated versions of Adobe Flash Player. That would be a fine feature indeed, except that Apple's more detailed documentation says it does no such thing.
Here’s the description from the support bulletin describing the new release:
Safari 5.1.7 for OS X Lion and Safari 5.1.7 for OS X Snow Leopard disable out-of-date versions of Adobe Flash Player.
Out-of-date versions of Adobe Flash Player do not include the latest security updates and will be disabled to help keep your Mac secure. If Safari 5.1.7 detects an out-of-date version of Flash Player on your system, you will see a dialog informing you that Flash Player has been disabled. The dialog provides the option to go directly to Adobe's website, where you can download and install an updated version of Flash Player.
That certainly sounds definitive. Safari 5.1.7 will "disable out-of-date versions of Adobe Flash Player." No qualifiers, no exceptions listed.
But hold the phone:
The text I just quoted is from Apple’s support document HT5271. That document does not link to the separate, more detailed bulletin (HT5282) titled “About the security content of Safari 5.1.7,” which includes this short paragraph at the end:
Note: In addition, this update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory. This update presents the option to install an updated version of Flash Player from the Adobe website.
Well, that's very different. If you have an out-of-date version of Adobe Flash Player installed on your Mac, it will be disabled only if its version number is earlier than 10.1.102.64.
In other words, if you installed Flash Player 10.1.102.64 on your Mac in November 2010 (or later), Apple considers your installation “up to date.”
That was more than 18 months ago. Since that time, Adobe has delivered 17 Flash Player updates that affected the Windows, Macintosh, and Linux platforms. (Back in March I assembled an up-to-date list, which you can check for yourself.)
The most recent Flash Player update was released on May 4. If you have not yet installed version 220.127.116.11, on whatever your platform of choice is, your Adobe Flash Player is out of date.
If you last updated Flash in early 2011, you could be 16 versions behind. And yet, despite the seemingly definitive, no-qualifiers-included statement in that Apple security bulletin, Safari 5.1.7 will not disable your out-of-date version of Flash Player.
What’s going on here?
Flash Player 10.1.102.64 is indeed a major milestone release, the last version that Apple delivered via its own update mechanisms. Beginning in October 2010, Apple stopped bundling Flash Player with new Macs and required Mac users to get updates directly from Adobe.
With that November 2010 update, Apple officially washed its hands of any responsibility for Flash Player, even on systems where it installed and delivered the software originally.
This week’s announcement is bizarre. Any reasonable person who reads it will think, justifiably, that Apple has stepped boldly into the breach to protect Safari users and block them from falling prey to potentially outdated Flash Player versions. But that's not the way it works.
It's a mystery to me why Apple chose to make this change or to announce it in such a misleading way. My guess is that in the wake of the Flashback debacle someone in Cupertino looked at the company’s potential liability for older versions of the Flash Player that it delivered and decided that something had to be done. This was the solution they chose.
Actually, it’s a shame that Apple didn’t do with Safari 5.1.7 what bulletin HT5271 says they are doing. Windows users finally have an auto-update mechanism for Flash Player, which means (at least in theory) that security updates are delivered within 24 hours of their release by Adobe. OS X users don’t yet have a comparable mechanism (Adobe says they’re working on it), so a warning delivered within the browser would be a good thing.
Meanwhile, the Flash Player code in Google’s Chrome browser is automatically updated along with the browser itself. If you use Chrome on a Mac, you don’t need to worry about vulnerabilities in out-of-date Flash Player versions.
- New Apple Safari disables ancient, insecure Flash versions
- Why you should care about automatic updates for Flash Player
- Apple releases OS X Lion 10.7.4, fixes FileVault password bug
- What Microsoft can teach Apple about security response
- The slow and steady evolution of cross-platform malware