Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 8, 2013, 09:17 AM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions




As noted by Ars Technica, Adobe late yesterday issued a security bulletin announcing that it was releasing updates to Flash Player in order to address a pair of security vulnerabilities targeting Mac and Windows users.
Quote:
Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.
Users can manually download the new 11.5.502.149 version of Flash Player from Adobe's site, or those who have specified that Adobe may update Flash Player automatically may simply allow it to do so.

In response to the issue, Apple has updated its Xprotect anti-malware system to enforce new minimum version requirements blocking all previous versions of Flash Player. Apple has used the system several times over the past month to block vulnerable versions of Java.

Apple has also posted a new support document addressing the issue and explaining to users how to update Flash Player when they discover that the plug-in has been blocked.

Article Link: Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions
MacRumors is offline   0 Reply With Quote
Old Feb 8, 2013, 09:22 AM   #2
OrangeSVTguy
macrumors 601
 
OrangeSVTguy's Avatar
 
Join Date: Sep 2007
Location: Northeastern Ohio
How long before the next "vulnerability" and apple shuts this one down?
__________________
Browsing the forums from my Powerbook G4
OrangeSVTguy is online now   2 Reply With Quote
Old Feb 8, 2013, 11:12 AM   #3
tbrinkma
macrumors 68000
 
Join Date: Apr 2006
Quote:
Originally Posted by OrangeSVTguy View Post
How long before the next "vulnerability" and apple shuts this one down?
Why the 'scare quotes' around the word vulnerability?

There was a vulnerability, which was being exploited in the wild. Blocking a vulnerable (and exploited) plug-in from running is a good security practice, and it can be easily undone if you really want to.

(It generally takes about 1-2 *hours* after the security update is released before instructions appear online to disable the block.)
__________________
17" MBP (unibody), 2.66GHz i7, 8GB RAM, 750 GB HDD; iPhone 4s 64GB/Black
tbrinkma is offline   1 Reply With Quote
Old Feb 8, 2013, 11:33 AM   #4
musicpaladin
macrumors newbie
 
Join Date: Oct 2010
Quote:
Originally Posted by tbrinkma View Post
Why the 'scare quotes' around the word vulnerability?

There was a vulnerability, which was being exploited in the wild. Blocking a vulnerable (and exploited) plug-in from running is a good security practice, and it can be easily undone if you really want to.

(It generally takes about 1-2 *hours* after the security update is released before instructions appear online to disable the block.)
Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product. If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Apple continues to play God and show an arrogance towards the Enterprise about their needs.
musicpaladin is offline   2 Reply With Quote
Old Feb 8, 2013, 11:49 AM   #5
HenryDJP
macrumors 68040
 
Join Date: Nov 2012
Location: United States
Quote:
Originally Posted by musicpaladin View Post
Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product.
Are you serious? . OMG. I.T departments (although would love to have reasons to keep their jobs) want as little to do with cleanups of company computers as possible. I know this first hand.

Of course this would never fly on a "Microsoft Product", that's why hackers love to target Windows, because they KNOW Windows over the years has had serious security holes and rather than attempting to block hackers Microsoft has just patched holes. That helps no one.

Funny though, reports last year said Apple's care for security on their systems had dropped. Now they are analyzing software that's trying to be installed on their systems that may/will compromise the user's security/privacy, they find the flaw and then block it. If you find this is poor business then do away with your Macs and stay on Windows since Microsoft does what you want them to do.
HenryDJP is offline   0 Reply With Quote
Old Feb 8, 2013, 11:52 AM   #6
fahlman
macrumors member
 
Join Date: Sep 2003
Quote:
Originally Posted by musicpaladin View Post
Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product. If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Apple continues to play God and show an arrogance towards the Enterprise about their needs.
You must not be an administrator in the enterprise or you would know that no administrator does anything to thousands of computers manually.

Also, Apple did not block Flash until there was a updated version with this security hole closed.
fahlman is offline   3 Reply With Quote
Old Feb 8, 2013, 11:55 AM   #7
TouchMint.com
macrumors 65816
 
TouchMint.com's Avatar
 
Join Date: May 2012
Location: Phoenix
This is pretty annoying stuff. When this get blocked I cant work from home which means I have to boot to windows to work from home.
__________________
TouchMint.com iOS App Site
Adventure To Fate iOS RPG Game Site
Indie iOS Game: Adventure To Fate : A Quest To The Core JRPG

TouchMint.com is offline   1 Reply With Quote
Old Feb 8, 2013, 02:38 PM   #8
musicpaladin
macrumors newbie
 
Join Date: Oct 2010
Quote:
Originally Posted by fahlman View Post
You must not be an administrator in the enterprise or you would know that no administrator does anything to thousands of computers manually.

Also, Apple did not block Flash until there was a updated version with this security hole closed.
Excuse me. I am one of the administrators (though not of as many systems as that) of a network which is mixed Mac/Windows network. Apple's enterprise system management leaves MUCH to be desired especially in a mixed environment. It is much easier and more trivial to push out a group policy than one of these commands. It would help if Apple's AD integration worked halfway decently.

Apple DID block Java before their update was released and that's a bigger problem. That's what I was referring to. I agree that it's okay to block something that is being exploited IF a patch has ALREADY been released for a period of time to allow it to be thoroughly tested and pushed out. But this "oh noes theres an exploit!" and then blocking it UNTIL Java releases an update is just not realistic in a working environment.

----------

Quote:
Originally Posted by HenryDJP View Post
Are you serious? . OMG. I.T departments (although would love to have reasons to keep their jobs) want as little to do with cleanups of company computers as possible. I know this first hand.

Of course this would never fly on a "Microsoft Product", that's why hackers love to target Windows, because they KNOW Windows over the years has had serious security holes and rather than attempting to block hackers Microsoft has just patched holes. That helps no one.

Funny though, reports last year said Apple's care for security on their systems had dropped. Now they are analyzing software that's trying to be installed on their systems that may/will compromise the user's security/privacy, they find the flaw and then block it. If you find this is poor business then do away with your Macs and stay on Windows since Microsoft does what you want them to do.
We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole. Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.

Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?
musicpaladin is offline   1 Reply With Quote
Old Feb 8, 2013, 02:58 PM   #9
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by musicpaladin View Post
Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.
Um... Apple does allow the administrators to turn off the malware-blocking options if they choose to do that. The checking is turned on by default, and that's definitely the right decision.

Did you do any research before making this post? It took me about 2 minutes to find the checkbox.

Quote:
In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block.
This option has been in OS X for several years. If admins wish to override the default [safe] behavior, they should have already done it a long time ago.

Quote:
And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.
WTF would someone need to use Java code in the client browser in order to access a medical database? This hypothetical is also a FAIL.

Quote:
This would NEVER fly on a Microsoft product.
What exactly is the "this" you're talking about? Why do you presume that some company couldn't override the malware option if they chose to do that?

Quote:
If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.
Your message makes no sense. Your "this" is based on misconceptions and failed hypotheticals.

Quote:
Apple continues to play God and show an arrogance towards the Enterprise about their needs.
How, exactly? Any personal user who wishes to can override the option. And any enterprise that wishes could also override that option enterprise-wide. Simple.

Your complaints are groundless.


Quote:
Originally Posted by musicpaladin View Post
We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole.
Then you have an obvious choice: disable Apple's real-time updating of the malware database.

Quote:
Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.
Then the answer is simple. Override the default, and make your Macs more promiscuous.

Quote:
Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.
Here's a different perspective: using vendors which continue to use something as broken as Java in web browsers holds the risk of crippling your entire organization. Your company sounds ripe for a spear phishing attack.

Quote:
I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?
If you have proper planning in your organization and have decided that allowing zero-day attacks from Java and Flash is your preferred means of operating, you would have already changed that security option on the Macs in your enterprise.

Here's a question for you: how long will it take before your company realizes that Java/Flash in web clients is a terrible idea and you will phase them out?

Last edited by FloatingBones; Feb 8, 2013 at 03:09 PM.
FloatingBones is offline   4 Reply With Quote
Old Feb 8, 2013, 04:03 PM   #10
gotluck
macrumors 68040
 
gotluck's Avatar
 
Join Date: Dec 2011
Location: East Central Florida
Quote:
Originally Posted by FloatingBones View Post



Here's a different perspective: using vendors which continue to use something as broken as Java in web browsers holds the risk of crippling your entire organization. Your company sounds ripe for a spear phishing attack.



If you have proper planning in your organization and have decided that allowing zero-day attacks from Java and Flash is your preferred means of operating, you would have already changed that security option on the Macs in your enterprise.

Here's a question for you: how long will it take before your company realizes that Java/Flash in web clients is a terrible idea and you will phase them out?
Do you have any suggestions on an alternative to Jack Henry for banking systems that does not use java?

We have no macs at our community bank but operations would halt without access to java.
__________________
iPad Air LTE 8.1.2 JB (T-Mobile) - GS 4 Google Edition 5.0.0 (AT&T) - Windows 7 PC's - PS4
gotluck is online now   0 Reply With Quote
Old Feb 8, 2013, 05:34 PM   #11
tbrinkma
macrumors 68000
 
Join Date: Apr 2006
Quote:
Originally Posted by musicpaladin View Post
Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product. If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Apple continues to play God and show an arrogance towards the Enterprise about their needs.
Congratulations. You've just told someone in IT, who has to deal with Microsoft's security practices on a regular basis that *cutting off an actively exploited security vulnerability* is a 'bad' thing. Really?

I've had to clean up after a *number* of 0-day exploits over the course of my career, and would have given my eye teeth to not have had to go through that mess. If you've ever had to deal with completely reimaging 2 dozen Windows boxes, you'll know how much *more* effort that is than undoing this security fix *IF* it actually causes any users a problem.

Might I suggest that you go shopping for a clue?

----------

Quote:
Originally Posted by iMikeT View Post
Actually, I do because I'll have to log into my admin account to install updates and such. The user account I use does not have admin privileges for obvious reasons. Then there's the OCD of rebooting after updates and such from the early days of computing.
You still don't need to reboot. Just switch to your admin account, do the install, and restart Safari when you switch back to your normal account.
__________________
17" MBP (unibody), 2.66GHz i7, 8GB RAM, 750 GB HDD; iPhone 4s 64GB/Black
tbrinkma is offline   3 Reply With Quote
Old Feb 8, 2013, 09:22 AM   #12
Squilly
macrumors 68020
 
Squilly's Avatar
 
Join Date: Nov 2012
Location: PA
What is with all the exploits lately.... Get it right people!
__________________
iPhone 6 16gb Space Gray Sprint
Squilly is offline   1 Reply With Quote
Old Feb 8, 2013, 09:24 AM   #13
JaySoul
macrumors 65816
 
Join Date: Jan 2008
Flash, Flash, why do you crash?
JaySoul is offline   12 Reply With Quote
Old Feb 8, 2013, 09:27 AM   #14
Saladinos
macrumors 68000
 
Saladinos's Avatar
 
Join Date: Feb 2008
This is why Apple have been fighting for a plugin-free web.

It's certainly cost them sales (not having flash and to a lesser extent Java on iOS devices, for example), but it's worth it. I'm glad they didn't take the easy road.
Saladinos is offline   20 Reply With Quote
Old Feb 8, 2013, 09:28 AM   #15
TheNextBigThing
macrumors member
 
Join Date: Feb 2012
Location: Pearl of the Orient
Tried to open the download link.
"Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available."
TheNextBigThing is offline   2 Reply With Quote
Old Feb 8, 2013, 09:38 AM   #16
scaredpoet
macrumors 603
 
scaredpoet's Avatar
 
Join Date: Apr 2007
Quote:
Originally Posted by TheNextBigThing View Post
Tried to open the download link.
"Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available."
Yeah, all versions of Chrome come with an internalized Flash instance separate from the OS. So, for someone like autrefois who wants to run an insecure plugin, they can just use Chrome.

Funny how the devs do this for Flash, but continue to take a stand against a real standard like H.264.

Quote:
Originally Posted by autrefois View Post
Apple needs to stop blocking software.
No, people need to stop making users "do actual work" using poor platform choices and insecure software. Flash and Java's times are over. I'm glad Apple is doing this, because it highlights the fact that these plugins need to go.
__________________
If you're not a clairvoyant, then you shouldn't be speaking for a dead guy.
I'm here to talk about Apple stuff, and related tech stuff. Your political beliefs? I really couldn't care less about.
scaredpoet is online now   18 Reply With Quote
Old Feb 8, 2013, 10:39 AM   #17
a0me
macrumors 6502a
 
Join Date: Oct 2006
Location: Tokyo, Japan
Quote:
Originally Posted by TheNextBigThing View Post
Tried to open the download link.
"Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available."
Chrome rocks. It just works.
__________________
iMac 24"; MacBook Pro 15"; iPhone 4; iPhone 5s; iPod touch; tv
a0me is offline   1 Reply With Quote
Old Feb 8, 2013, 09:29 AM   #18
fullauto
macrumors 6502a
 
fullauto's Avatar
 
Join Date: Oct 2012
Location: Brisbane
Urgh get rid of it already.
fullauto is offline   2 Reply With Quote
Old Feb 8, 2013, 09:36 AM   #19
AngerDanger
macrumors 65816
 
AngerDanger's Avatar
 
Join Date: Dec 2008
Location: doing the Dada Polka
Total Poetry Time®

Quote:
Originally Posted by JaySoul View Post
Flash, Flash, why do you crash?
My poor keyboard, you make me smash.
AngerDanger is offline   12 Reply With Quote
Old Feb 8, 2013, 03:54 PM   #20
blacktape242
macrumors 6502
 
Join Date: Dec 2010
Location: Sacramento, CA
Quote:
Originally Posted by Fresh Pie View Post
My poor keyboard, you make me smash.
I just want to eat hash....
blacktape242 is offline   0 Reply With Quote
Old Feb 9, 2013, 02:46 PM   #21
Lancer
macrumors 68000
 
Join Date: Jul 2002
Location: Australia
Quote:
Originally Posted by JaySoul View Post
Flash, Flash, why do you crash?
Plenty of sites rely on flash to run, no flash no access.
Lancer is offline   0 Reply With Quote
Old Feb 9, 2013, 04:26 PM   #22
FloatingBones
macrumors 65816
 
FloatingBones's Avatar
 
Join Date: Jul 2006
Quote:
Originally Posted by Lancer View Post
Plenty of sites rely on flash to run, no flash no access.
That doesn't really make a lot of sense: you make it sound as if these sites are cast in concrete and cannot change. There are already hundreds of millions of computers that can't run Flash in their browser; what are those sites doing to run on those computers?

Zero-day Flash/Java exploits are coming at alarming frequency. Any website owner still relying on Flash to deliver their content needs to have their head examined.
FloatingBones is offline   3 Reply With Quote
Old Feb 9, 2013, 08:10 PM   #23
Lancer
macrumors 68000
 
Join Date: Jul 2002
Location: Australia
Quote:
Originally Posted by FloatingBones View Post
That doesn't really make a lot of sense: you make it sound as if these sites are cast in concrete and cannot change. There are already hundreds of millions of computers that can't run Flash in their browser; what are those sites doing to run on those computers?

Zero-day Flash/Java exploits are coming at alarming frequency. Any website owner still relying on Flash to deliver their content needs to have their head examined.
I'm not saying they can't change I'm just saying what they are now using, it's like cars mostly run on petrol (Gasoline for those in the US) but there are also some that run of diesel it doesn't mean the manufactures are going to all switch to bio-fuels because it is better for the environment. Fact is many sites partly or solely use Java and it's going to take time for them to switch to better code.
Lancer is offline   0 Reply With Quote
Old Feb 8, 2013, 09:25 AM   #24
autrefois
macrumors 65816
 
autrefois's Avatar
 
Join Date: Oct 2003
Location: Somewhere in the USA
Apple needs to stop blocking software. If they want to display a warning, fine. But for people who rely on their computers to do actual work, it isn't acceptable for them to keep disabling software that many people use and need on a daily basis. Inform people of the vulnerability and give them the option of disabling it.
autrefois is offline   25 Reply With Quote
Old Feb 8, 2013, 09:28 AM   #25
ProudLoz
macrumors regular
 
Join Date: Aug 2012
Quote:
Originally Posted by autrefois View Post
Apple needs to stop blocking software. If they want to display a warning, fine. But for people who rely on their computers to do actual work, it isn't acceptable for them to keep disabling software that many people use and need on a daily basis just because there's a vulnerability out there.
This. Although I wasn't working, I did find it annoying that a lot of the websites I visited that needed the adobe plug-in where completely useless because of this block.
ProudLoz is offline   6 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Adobe Releases Another Emergency Update for Flash MacRumors Mac Blog Discussion 125 Feb 25, 2014 08:11 PM
Apple Enforces Adobe Flash Player Security Upgrade with Updated Malware Definitions MacRumors Mac Blog Discussion 51 Feb 15, 2014 12:04 PM
Adobe Releases 'Critical' Update for Flash After Security Vulnerability Discovered MacRumors Mac Blog Discussion 92 Feb 10, 2014 01:29 PM
Am I The Only One Who Can't Update Adobe Flash Player? 53kyle OS X Mavericks (10.9) 4 Jun 14, 2013 04:29 AM
Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in MacRumors MacRumors.com News Discussion 40 Mar 9, 2013 05:46 PM

Forum Jump

All times are GMT -5. The time now is 09:18 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC