Apple decides Flash users need to secure themselves

Filed Under: Adobe, Adobe Flash, Apple, Vulnerability

No Flash photo courtesy of flavouz's Flickr photostream

ComputerWorld's Gregg Keizer is reporting that Apple has decided to stop distributing security updates for Adobe's Flash browser plugin. It took only two days for Apple to make me regret the praise I had sent their way regarding the speed with which they distributed this week's Java patch.

Apple's new MacBook Air will no longer ship with Flash pre-installed and future revisions of the OS will not include Flash as new computers are shipped. Is this a continuance of the battle Steve Jobs is waging against Flash on the iPhone and iPad? Who knows. What I do know is that this is clearly a bad sign for the hope that Apple is committed to securing the Mac platform.

Flash does not currently ship with the ability to update itself, which will leave the vast majority of users of Safari vulnerable to attack. Fortunately Mozilla Firefox and Google Chrome will still check/update the Flash plugin automatically.

Adobe's advice that users should read the Adobe security blog to stay on top of Flash updates is good advice, but seems unlikely. How many of the 3,000,000 Mac users who purchased a computer from Apple last quarter will actually take their advice?

I sure hope that Apple's decision to put their users at risk of web attacks is not politically motivated, but either way you slice it they are doing a disservice to their customers. The simplicity of not having to add modules to a new Mac and not having to hunt down a hundred different updates is one of the reasons users choose a Mac in the first place.

Mac users will want to join the PC legion and make quarterly visits to http://get.adobe.com/flashplayer. Adobe has announced its intention to provide an auto-update application for Flash, but it remains to be seen when this will ship. IT admins can add their company's Macs to their quarterly Adobe patch list.

Creative Commons photo courtesy of flavouz's Flickr photostream.

Update: I misattributed a quote from an Adobe spokesperson to Apple. I have fixed that above. Thank you to Lucian Constantin for bringing this to my attention.

, ,

You might like

4 Responses to Apple decides Flash users need to secure themselves

  1. Derek Currie · 1268 days ago

    "What I do know is that this is clearly a bad sign for the hope that Apple is committed to securing the Mac platform."

    Actually, no. That is not the case. This past summer Apple provided a security update that included a OLD version of the Flash-plugin, a couple days after Adobe had released a newer critical security updated version. Apple therefore received a great deal of criticism and many Apple users who didn't know about Adobe's ongoing critical security flaw problems believed they had the latest version.

    Adobe's problems are their own. They are not Apple's. Considering the now monthly discovery of new Adobe security holes, the wisest move Apple could make was to simpy separate themselves from the entire issue, which they have.

    It is now entirely up to the user, not Apple, to keep track of Adobe's security problems, which is the way it must be. Otherwise Apple is open to criticism for installing dangerous software onto user's machines. Let Adobe take the blame they deserve.

  2. xenedar · 1267 days ago

    Wait, so you're saying that it's a Bad Thing™ that Apple ships an out-of-date Flash Player browser plug-in that is subject to known security issues, and requires a newly purchased Mac to have an up-to-date version downloaded fresh from Adobe's website before Flash playback will be available?

    It must be Backwards Day.

    Look at what has happened in the last 2 weeks. Adobe released 10.1.85 to fix a security hole in 10.1.82, and now 10.1.85 is itself the subject of yet another security hole.

    I'm not surprised Apple gave up trying to help Adobe. I'd get pretty fed up as well, having to download and incorporate Flash Player updates over and over. I already do get fed up with just the 500 Macs I look after. But for Apple to then check and pass the Flash Player update as part of their release certification, and THEN to have Flash Player out-of-date yet again within days.... I'd give up too.

    Adobe needs to solve their own security issues. It's time to take the training wheels off and Adobe needs to grow up and either solve its own security issues, or fail and be subject to consumer repercussions. Rather than people expecting Apple to bail Adobe out of jail for their mistakes.

  3. Look at what has happened in the last 2 weeks. Adobe released 10.1.85 to fix a security hole in 10.1.82, and now 10.1.85 is itself the subject of yet another security hole.

  4. Joe77 · 1050 days ago

    Adobe always had those kind of issues. for reason, Apple had a number of problems with flash. they had argues and discussions about the matter, but adobe was unwilling to resolve them. So enough is enough and Apple had to depart from a company that was very well rooted in the PC era, but times change and adobe seems to think the way MS thinks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.