Educause Security Discussion mailing list archives
Re: Adobe Flash auto-update status
From: Theodore Pham <telamon () CMU EDU>
Date: Tue, 21 Jun 2011 14:18:47 -0400
I wouldn't worry as much about Adobe's lack of PPC support as I would with Apple's. We're a month or so away from Mac OS X 10.7 (Lion) being released. If history is any indicator, 10.5 will quietly cease to get Apple security updates in short order. Ted Pham Information Security Office Carnegie Mellon University On 6/21/2011 1:36 PM, Joe St Sauver wrote:
Brian mentioned: #Our internal security group had some debate about the current status #of Adobe's update mechanism for Flash on various platforms (related to #the recent exploit activity reported by the Shadowserver folks[1]). #Since I had to do a bit of digging to find official answers I thought #I would share the results here. # #Based on Adobe's various publications, this is what I believe the #update status to be across some major platforms: [snip] #* Mac OS X users get similar treatment to Windows users if they have #Flash 10.3.x. Users with older versions of Flash have to manually #update via the download center. [2][5] [snip] An important caveat: the latest versions of Flash simply aren't available/ aren't supported AT ALL for PowerPC architecture Macs. Thus, if you go to http://get.adobe.com/flashplayer/otherversions/ and select Macintosh OS X 10.4-10.6, and then attempt to "Select a version" your only option will be "Flash Player 10.3 for Mac OS X 10.4 - 10.6 (Intel)" (note the "Intel" there, although, of course, most users won't). This lack of support for PowerPC Macs is confirmed at http://www.adobe.com/products/flashplayer/systemreqs/ This same issue also exists for the latest versions of Adobe Reader (e.g., Adobe Reader X (10.1)). See http://www.adobe.com/products/reader/tech-specs.html This is a problem for two reasons: -- Users may get conflicting messages about updating, and they may waste time attempting to upgrade (when in face their platform has been orphaned by Adobe) -- Those hosts that will be forever unable to run current/patched versions of these important apps represent security vulnerabilities on campus just waiting to be 0wn3d. If the current versions of the applications are vulnerable, and won't be patched, I'd hope that Adobe would at least flag this condition and recommend that users knowingly and intentionally uninstall their products. Allowing users to continue running perpetually unpatched and unpatchable products is just nutz (IMO). Regards, Joe Disclaimer: all opinions expressed are strictly my own and do not necessarily represent the opinions of any other organization or entity.
Current thread:
- Adobe Flash auto-update status Brian J Smith-Sweeney (Jun 21)
- <Possible follow-ups>
- Re: Adobe Flash auto-update status Joe St Sauver (Jun 21)
- Re: Adobe Flash auto-update status Chris Green (Jun 28)
- Re: Adobe Flash auto-update status Theodore Pham (Jun 21)