Educause Security Discussion mailing list archives
Re: Adobe Flash auto-update status
From: Chris Green <cmgreen () UAB EDU>
Date: Tue, 28 Jun 2011 14:55:27 -0500
While Apple Lifecycles are maddening at not saying what will quit working when, 10.6 didn't support PowerPC and the forthcoming 10.7 starts to not support some Intel-based macs. The last released patch supporting PPC was: 10.5.8 August 5, 2009 PowerPC macs are dead to the world at this time; remember that they ship with Java by default and there were plenty of sandbox related issues. The closest rule of thumb I've been able to follow for Macs is Current Major release minus one *may* get security patches. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St Sauver Sent: Tuesday, June 21, 2011 12:36 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Adobe Flash auto-update status Brian mentioned: #Our internal security group had some debate about the current status #of Adobe's update mechanism for Flash on various platforms (related to #the recent exploit activity reported by the Shadowserver folks[1]). #Since I had to do a bit of digging to find official answers I thought #I would share the results here. # #Based on Adobe's various publications, this is what I believe the #update status to be across some major platforms: [snip] #* Mac OS X users get similar treatment to Windows users if they have #Flash 10.3.x. Users with older versions of Flash have to manually #update via the download center. [2][5] [snip] An important caveat: the latest versions of Flash simply aren't available/ aren't supported AT ALL for PowerPC architecture Macs. Thus, if you go to http://get.adobe.com/flashplayer/otherversions/ and select Macintosh OS X 10.4-10.6, and then attempt to "Select a version" your only option will be "Flash Player 10.3 for Mac OS X 10.4 - 10.6 (Intel)" (note the "Intel" there, although, of course, most users won't). This lack of support for PowerPC Macs is confirmed at http://www.adobe.com/products/flashplayer/systemreqs/ This same issue also exists for the latest versions of Adobe Reader (e.g., Adobe Reader X (10.1)). See http://www.adobe.com/products/reader/tech-specs.html This is a problem for two reasons: -- Users may get conflicting messages about updating, and they may waste time attempting to upgrade (when in face their platform has been orphaned by Adobe) -- Those hosts that will be forever unable to run current/patched versions of these important apps represent security vulnerabilities on campus just waiting to be 0wn3d. If the current versions of the applications are vulnerable, and won't be patched, I'd hope that Adobe would at least flag this condition and recommend that users knowingly and intentionally uninstall their products. Allowing users to continue running perpetually unpatched and unpatchable products is just nutz (IMO). Regards, Joe Disclaimer: all opinions expressed are strictly my own and do not necessarily represent the opinions of any other organization or entity.
Current thread:
- Adobe Flash auto-update status Brian J Smith-Sweeney (Jun 21)
- <Possible follow-ups>
- Re: Adobe Flash auto-update status Joe St Sauver (Jun 21)
- Re: Adobe Flash auto-update status Chris Green (Jun 28)
- Re: Adobe Flash auto-update status Theodore Pham (Jun 21)