Apple decides Flash users need to secure themselves


No Flash photo courtesy of flavouz's Flickr photostream

ComputerWorld’s Gregg Keizer is reporting that Apple has decided to stop distributing security updates for Adobe’s Flash browser plugin. It took only two days for Apple to make me regret the praise I had sent their way regarding the speed with which they distributed this week’s Java patch.

Apple’s new MacBook Air will no longer ship with Flash pre-installed and future revisions of the OS will not include Flash as new computers are shipped. Is this a continuance of the battle Steve Jobs is waging against Flash on the iPhone and iPad? Who knows. What I do know is that this is clearly a bad sign for the hope that Apple is committed to securing the Mac platform.

Flash does not currently ship with the ability to update itself, which will leave the vast majority of users of Safari vulnerable to attack. Fortunately Mozilla Firefox and Google Chrome will still check/update the Flash plugin automatically.

Adobe’s advice that users should read the Adobe security blog to stay on top of Flash updates is good advice, but seems unlikely. How many of the 3,000,000 Mac users who purchased a computer from Apple last quarter will actually take their advice?

I sure hope that Apple’s decision to put their users at risk of web attacks is not politically motivated, but either way you slice it they are doing a disservice to their customers. The simplicity of not having to add modules to a new Mac and not having to hunt down a hundred different updates is one of the reasons users choose a Mac in the first place.

Mac users will want to join the PC legion and make quarterly visits to Adobe has announced its intention to provide an auto-update application for Flash, but it remains to be seen when this will ship. IT admins can add their company’s Macs to their quarterly Adobe patch list.

Creative Commons photo courtesy of flavouz’s Flickr photostream.

Update: I misattributed a quote from an Adobe spokesperson to Apple. I have fixed that above. Thank you to Lucian Constantin for bringing this to my attention.