Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions

[MacRumors]

As noted by Ars Technica, Adobe late yesterday issued a security bulletin announcing that it was releasing updates to Flash Player in order to address a pair of security vulnerabilities targeting Mac and Windows users.

Quote:

Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform, as well as attacks designed to trick Windows users into opening a Microsoft Word document delivered as an email attachment which contains malicious Flash (SWF) content.

Users can manually download the new 11.5.502.149 version of Flash Player from Adobe's site, or those who have specified that Adobe may update Flash Player automatically may simply allow it to do so.

In response to the issue, Apple has updated its Xprotect anti-malware system to enforce new minimum version requirements blocking all previous versions of Flash Player. Apple has used the system several times over the past month to block vulnerable versions of Java.

Apple has also posted a new support document addressing the issue and explaining to users how to update Flash Player when they discover that the plug-in has been blocked.

Article Link: Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions

[OrangeSVTguy]

How long before the next "vulnerability" and apple shuts this one down?

[tbrinkma]

Quote:

Originally Posted by OrangeSVTguy

How long before the next "vulnerability" and apple shuts this one down?

Why the 'scare quotes' around the word vulnerability?

There was a vulnerability, which was being exploited in the wild. Blocking a vulnerable (and exploited) plug-in from running is a good security practice, and it can be easily undone if you really want to.

(It generally takes about 1-2 *hours* after the security update is released before instructions appear online to disable the block.)

[musicpaladin]

Quote:

Originally Posted by tbrinkma

Why the 'scare quotes' around the word vulnerability?

There was a vulnerability, which was being exploited in the wild. Blocking a vulnerable (and exploited) plug-in from running is a good security practice, and it can be easily undone if you really want to.

(It generally takes about 1-2 *hours* after the security update is released before instructions appear online to disable the block.)

Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product. If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Apple continues to play God and show an arrogance towards the Enterprise about their needs.

[HenryDJP]

Quote:

Originally Posted by musicpaladin

Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product.

Are you serious? . OMG. I.T departments (although would love to have reasons to keep their jobs) want as little to do with cleanups of company computers as possible. I know this first hand.

Of course this would never fly on a "Microsoft Product", that's why hackers love to target Windows, because they KNOW Windows over the years has had serious security holes and rather than attempting to block hackers Microsoft has just patched holes. That helps no one.

Funny though, reports last year said Apple's care for security on their systems had dropped. Now they are analyzing software that's trying to be installed on their systems that may/will compromise the user's security/privacy, they find the flaw and then block it. If you find this is poor business then do away with your Macs and stay on Windows since Microsoft does what you want them to do.

[fahlman]

Quote:

Originally Posted by musicpaladin

Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product. If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Apple continues to play God and show an arrogance towards the Enterprise about their needs.

You must not be an administrator in the enterprise or you would know that no administrator does anything to thousands of computers manually.

Also, Apple did not block Flash until there was a updated version with this security hole closed.

[TouchMint.com]

This is pretty annoying stuff. When this get blocked I cant work from home which means I have to boot to windows to work from home.

[musicpaladin]

Quote:

Originally Posted by fahlman

You must not be an administrator in the enterprise or you would know that no administrator does anything to thousands of computers manually.

Also, Apple did not block Flash until there was a updated version with this security hole closed.

Excuse me. I am one of the administrators (though not of as many systems as that) of a network which is mixed Mac/Windows network. Apple's enterprise system management leaves MUCH to be desired especially in a mixed environment. It is much easier and more trivial to push out a group policy than one of these commands. It would help if Apple's AD integration worked halfway decently.

Apple DID block Java before their update was released and that's a bigger problem. That's what I was referring to. I agree that it's okay to block something that is being exploited IF a patch has ALREADY been released for a period of time to allow it to be thoroughly tested and pushed out. But this "oh noes theres an exploit!" and then blocking it UNTIL Java releases an update is just not realistic in a working environment.

----------

Quote:

Originally Posted by HenryDJP

Are you serious? . OMG. I.T departments (although would love to have reasons to keep their jobs) want as little to do with cleanups of company computers as possible. I know this first hand.

Of course this would never fly on a "Microsoft Product", that's why hackers love to target Windows, because they KNOW Windows over the years has had serious security holes and rather than attempting to block hackers Microsoft has just patched holes. That helps no one.

Funny though, reports last year said Apple's care for security on their systems had dropped. Now they are analyzing software that's trying to be installed on their systems that may/will compromise the user's security/privacy, they find the flaw and then block it. If you find this is poor business then do away with your Macs and stay on Windows since Microsoft does what you want them to do.

We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole. Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.

Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?

[FloatingBones]

Quote:

Originally Posted by musicpaladin

Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

Um... Apple does allow the administrators to turn off the malware-blocking options if they choose to do that. The checking is turned on by default, and that's definitely the right decision.

Did you do any research before making this post? It took me about 2 minutes to find the checkbox.

Quote:

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block.

This option has been in OS X for several years. If admins wish to override the default [safe] behavior, they should have already done it a long time ago.

Quote:

And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

WTF would someone need to use Java code in the client browser in order to access a medical database? This hypothetical is also a FAIL.

Quote:

This would NEVER fly on a Microsoft product.

What exactly is the "this" you're talking about? Why do you presume that some company couldn't override the malware option if they chose to do that?

Quote:

If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Your message makes no sense. Your "this" is based on misconceptions and failed hypotheticals.

Quote:

Apple continues to play God and show an arrogance towards the Enterprise about their needs.

How, exactly? Any personal user who wishes to can override the option. And any enterprise that wishes could also override that option enterprise-wide. Simple.

Your complaints are groundless.

Quote:

Originally Posted by musicpaladin

We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole.

Then you have an obvious choice: disable Apple's real-time updating of the malware database.

Quote:

Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.

Then the answer is simple. Override the default, and make your Macs more promiscuous.

Quote:

Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.

Here's a different perspective: using vendors which continue to use something as broken as Java in web browsers holds the risk of crippling your entire organization. Your company sounds ripe for a spear phishing attack.

Quote:

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?

If you have proper planning in your organization and have decided that allowing zero-day attacks from Java and Flash is your preferred means of operating, you would have already changed that security option on the Macs in your enterprise.

Here's a question for you: how long will it take before your company realizes that Java/Flash in web clients is a terrible idea and you will phase them out?

[gotluck]

Quote:

Originally Posted by FloatingBones

Here's a different perspective: using vendors which continue to use something as broken as Java in web browsers holds the risk of crippling your entire organization. Your company sounds ripe for a spear phishing attack.



If you have proper planning in your organization and have decided that allowing zero-day attacks from Java and Flash is your preferred means of operating, you would have already changed that security option on the Macs in your enterprise.

Here's a question for you: how long will it take before your company realizes that Java/Flash in web clients is a terrible idea and you will phase them out?

Do you have any suggestions on an alternative to Jack Henry for banking systems that does not use java?

We have no macs at our community bank but operations would halt without access to java.

[tbrinkma]

Quote:

Originally Posted by musicpaladin

Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block. And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

This would NEVER fly on a Microsoft product. If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Apple continues to play God and show an arrogance towards the Enterprise about their needs.

Congratulations. You've just told someone in IT, who has to deal with Microsoft's security practices on a regular basis that *cutting off an actively exploited security vulnerability* is a 'bad' thing. Really?

I've had to clean up after a *number* of 0-day exploits over the course of my career, and would have given my eye teeth to not have had to go through that mess. If you've ever had to deal with completely reimaging 2 dozen Windows boxes, you'll know how much *more* effort that is than undoing this security fix *IF* it actually causes any users a problem.

Might I suggest that you go shopping for a clue?

----------

Quote:

Originally Posted by iMikeT

Actually, I do because I'll have to log into my admin account to install updates and such. The user account I use does not have admin privileges for obvious reasons. Then there's the OCD of rebooting after updates and such from the early days of computing.

You still don't need to reboot. Just switch to your admin account, do the install, and restart Safari when you switch back to your normal account.

[Squilly]

What is with all the exploits lately.... Get it right people!

[JaySoul]

Flash, Flash, why do you crash?

[Saladinos]

This is why Apple have been fighting for a plugin-free web.

It's certainly cost them sales (not having flash and to a lesser extent Java on iOS devices, for example), but it's worth it. I'm glad they didn't take the easy road.

[TheNextBigThing]

Tried to open the download link.
"Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available."

[scaredpoet]

Quote:

Originally Posted by TheNextBigThing

Tried to open the download link.
"Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available."

Yeah, all versions of Chrome come with an internalized Flash instance separate from the OS. So, for someone like autrefois who wants to run an insecure plugin, they can just use Chrome.

Funny how the devs do this for Flash, but continue to take a stand against a real standard like H.264.

Quote:

Originally Posted by autrefois

Apple needs to stop blocking software.

No, people need to stop making users "do actual work" using poor platform choices and insecure software. Flash and Java's times are over. I'm glad Apple is doing this, because it highlights the fact that these plugins need to go.

[a0me]

Quote:

Originally Posted by TheNextBigThing

Tried to open the download link.
"Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available."

Chrome rocks. It just works.

[fullauto]

Urgh get rid of it already.

[Fresh Pie]

Quote:

Originally Posted by JaySoul

Flash, Flash, why do you crash?

My poor keyboard, you make me smash.

[blacktape242]

Quote:

Originally Posted by Fresh Pie

My poor keyboard, you make me smash.

I just want to eat hash....

[Lancer]

Quote:

Originally Posted by JaySoul

Flash, Flash, why do you crash?

Plenty of sites rely on flash to run, no flash no access.

[FloatingBones]

Quote:

Originally Posted by Lancer

Plenty of sites rely on flash to run, no flash no access.

That doesn't really make a lot of sense: you make it sound as if these sites are cast in concrete and cannot change. There are already hundreds of millions of computers that can't run Flash in their browser; what are those sites doing to run on those computers?

Zero-day Flash/Java exploits are coming at alarming frequency. Any website owner still relying on Flash to deliver their content needs to have their head examined.

[Lancer]

Quote:

Originally Posted by FloatingBones

That doesn't really make a lot of sense: you make it sound as if these sites are cast in concrete and cannot change. There are already hundreds of millions of computers that can't run Flash in their browser; what are those sites doing to run on those computers?

Zero-day Flash/Java exploits are coming at alarming frequency. Any website owner still relying on Flash to deliver their content needs to have their head examined.

I'm not saying they can't change I'm just saying what they are now using, it's like cars mostly run on petrol (Gasoline for those in the US) but there are also some that run of diesel it doesn't mean the manufactures are going to all switch to bio-fuels because it is better for the environment. Fact is many sites partly or solely use Java and it's going to take time for them to switch to better code.

[autrefois]

Apple needs to stop blocking software. If they want to display a warning, fine. But for people who rely on their computers to do actual work, it isn't acceptable for them to keep disabling software that many people use and need on a daily basis. Inform people of the vulnerability and give them the option of disabling it.

[ProudLoz]

Quote:

Originally Posted by autrefois

Apple needs to stop blocking software. If they want to display a warning, fine. But for people who rely on their computers to do actual work, it isn't acceptable for them to keep disabling software that many people use and need on a daily basis just because there's a vulnerability out there.

This. Although I wasn't working, I did find it annoying that a lot of the websites I visited that needed the adobe plug-in where completely useless because of this block.