Re: Adobe Flash auto-update status

[Theodore Pham <telamon () CMU EDU>]

I wouldn't worry as much about Adobe's lack of PPC support as I would with Apple's.

We're a month or so away from Mac OS X 10.7 (Lion) being released.  If history
is any indicator, 10.5 will quietly cease to get Apple security updates in short
order.


Ted Pham
Information Security Office
Carnegie Mellon University

On 6/21/2011 1:36 PM, Joe St Sauver wrote:
> Brian mentioned:
>
> #Our internal security group had some debate about the current status
> #of Adobe's update mechanism for Flash on various platforms (related to
> #the recent exploit activity reported by the Shadowserver folks[1]).
> #Since I had to do a bit of digging to find official answers I thought
> #I would share the results here.
> #
> #Based on Adobe's various publications, this is what I believe the
> #update status to be across some major platforms:
> [snip]
> #* Mac OS X users get similar treatment to Windows users if they have
> #Flash 10.3.x.  Users with older versions of Flash have to manually
> #update via the download center. [2][5]
> [snip]
>
> An important caveat: the latest versions of Flash simply aren't available/
> aren't supported AT ALL for PowerPC architecture Macs. Thus, if you go to 
> http://get.adobe.com/flashplayer/otherversions/ and select 
> Macintosh OS X 10.4-10.6, and then attempt to "Select a version" your
> only option will be "Flash Player 10.3 for Mac OS X 10.4 - 10.6 (Intel)"
> (note the "Intel" there, although, of course, most users won't). 
>
> This lack of support for PowerPC Macs is confirmed at 
> http://www.adobe.com/products/flashplayer/systemreqs/
>
> This same issue also exists for the latest versions of Adobe Reader 
> (e.g., Adobe Reader X (10.1)). See
> http://www.adobe.com/products/reader/tech-specs.html
>
> This is a problem for two reasons:
>
> -- Users may get conflicting messages about updating, and they may waste
>    time attempting to upgrade (when in face their platform has been 
>    orphaned by Adobe)
>
> -- Those hosts that will be forever unable to run current/patched 
>    versions of these important apps represent security vulnerabilities 
>    on campus just waiting to be 0wn3d.
>
> If the current versions of the applications are vulnerable, and won't
> be patched, I'd hope that Adobe would at least flag this condition and
> recommend that users knowingly and intentionally uninstall their products.
>
> Allowing users to continue running perpetually unpatched and unpatchable
> products is just nutz (IMO).
>
> Regards,
>
> Joe
>
> Disclaimer: all opinions expressed are strictly my own and do not 
> necessarily represent the opinions of any other organization or entity.