Wednesday, June 16, 2010

Apple Ships Vulnerable Flash Player Plugin

Via Threatpost.com -

The Adobe Flash Player plugin that was included in yesterday's Mac OS X software update contains multiple vulnerabilities that expose users to malicious hacker attacks.

Apple shipped a new Flash Player plugin (10.0.45.2) in the Mac OS X patch bundle but that version became outdated on June 10th when Adobe shipped Flash Player 10.1.53.64.

The Flash Player 10.0.45.2 software contains 32 vulnerabilities, most rated "critical." At least one of those flaws have been exploited on the Windows platform.

Apple's outdated Flash Player plugin problem was flagged publicly by Adobe's Wendy Poland:
Earlier today, Apple released security update 2010-004 / Mac OS X v10.6.4. This update includes an earlier version of Adobe Flash Player (version 10.0.45.2) than available from Adobe.com. While the Mac OS X v10.6.4 update does not appear to downgrade users who have already upgraded to Adobe Flash Player 10.1, Adobe recommends users verify they are using the latest, most secure version of Flash Player (10.1.53.64) available for download from http://www.adobe.com/go/getflashplayer.
To verify the Adobe Flash Player version number installed on your system (after applying the Mac OS X security update), Mac users can go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu.

If you use multiple browsers, perform the check for each browser you have installed on your system.

---------------------------------

I know I have asked this before, but why the hell is Apple installing Adobe Flash as part of their updates?

At least, they aren't downgrading newer version of Flash, like they did with the Snow Leopard (10.6) release.

2 comments:

  1. The short answer to your question is, "The user experience."

    The real question isn't, "Why is Apple shipping vulnerable versions of apps?" rather, "Why can't Adobe develop a secure flash player?"

    My thought is because flash has such a bad history of security problems, it's just taken for granted they'll be bad. People seem to hold Apple to a higher standard, and think they can't do wrong, failing to realize they are just humans too (we think).

    How about we hold both companies to the same standard? Better yet, people should take responsibility for themselves, install Firefox and manage their own damn plug-ins.

    ReplyDelete
  2. You hit the point exactly, its about Apple keeping the seamless user experience of "stuff just working".

    Clearly, in this case, the older version of Flash was used because of QA. I understand that.

    The Apple controlled experience runs counter to asking "people to take responsibility for themselves".

    It's as if Apple just assumes their users can't download applications from 3rd vendors. lol

    ReplyDelete