Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Adobe Flash auto-update status

From: Chris Green <cmgreen () UAB EDU>
Date: Tue, 28 Jun 2011 14:55:27 -0500
While Apple Lifecycles are maddening at not saying what will quit working when,   10.6 didn't support PowerPC and the 
forthcoming 10.7 starts to not support some Intel-based macs.

The last released patch supporting PPC was: 10.5.8      August 5, 2009

PowerPC macs are dead to the world at this time; remember that they ship with Java by default and there were plenty of 
sandbox related issues.  The closest rule of thumb I've been able to follow for Macs is Current Major release minus one 
*may* get security patches.    


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St 
Sauver
Sent: Tuesday, June 21, 2011 12:36 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Adobe Flash auto-update status

Brian mentioned:

#Our internal security group had some debate about the current status #of Adobe's update mechanism for Flash on various 
platforms (related to #the recent exploit activity reported by the Shadowserver folks[1]).
#Since I had to do a bit of digging to find official answers I thought #I would share the results here.
#
#Based on Adobe's various publications, this is what I believe the #update status to be across some major platforms:
[snip]
#* Mac OS X users get similar treatment to Windows users if they have #Flash 10.3.x.  Users with older versions of 
Flash have to manually #update via the download center. [2][5] [snip]

An important caveat: the latest versions of Flash simply aren't available/ aren't supported AT ALL for PowerPC 
architecture Macs. Thus, if you go to http://get.adobe.com/flashplayer/otherversions/ and select Macintosh OS X 
10.4-10.6, and then attempt to "Select a version" your only option will be "Flash Player 10.3 for Mac OS X 10.4 - 10.6 
(Intel)"
(note the "Intel" there, although, of course, most users won't). 

This lack of support for PowerPC Macs is confirmed at http://www.adobe.com/products/flashplayer/systemreqs/

This same issue also exists for the latest versions of Adobe Reader (e.g., Adobe Reader X (10.1)). See 
http://www.adobe.com/products/reader/tech-specs.html

This is a problem for two reasons:

-- Users may get conflicting messages about updating, and they may waste
   time attempting to upgrade (when in face their platform has been 
   orphaned by Adobe)

-- Those hosts that will be forever unable to run current/patched 
   versions of these important apps represent security vulnerabilities 
   on campus just waiting to be 0wn3d.

If the current versions of the applications are vulnerable, and won't be patched, I'd hope that Adobe would at least 
flag this condition and recommend that users knowingly and intentionally uninstall their products.

Allowing users to continue running perpetually unpatched and unpatchable products is just nutz (IMO).

Regards,

Joe

Disclaimer: all opinions expressed are strictly my own and do not necessarily represent the opinions of any other 
organization or entity.
Previous By Date Next
Previous By Thread Next

Current thread: