Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions

[FloatingBones]

Quote:

Originally Posted by autrefois

Apple needs to stop blocking software. If they want to display a warning, fine. But for people who rely on their computers to do actual work, it isn't acceptable for them to keep disabling software that many people use and need on a daily basis. Inform people of the vulnerability and give them the option of disabling it.

A quick search on the Apple support communities apparently points to a way to do this:

Quote:

Going into System Preferences and Security, clicking the lock icon to change settings (enter password) and unchecking the 'Automatically update safe downloads list' prevents the file from getting rebuilt. This isn't the safest bet for people who are not the safest of computer users, but it does the trick.

It's under the Advanced options in the general tab of Security and Privacy.

Sounds like a bad idea to me, but feel free...

Quote:

Originally Posted by AppleScruff1

If Apple says you don't need flash, you don't need it. Even if you do.

Not exactly. Apple allows the malware-checking software to be turned off. Even if there are outstanding malware issues with the current version of Flash, you can still run it.

Adobe has dropped support for Flash on mobile devices. From Apple alone, there are over 100 million iPad sold -- over 410 million iOS devices with Flash-free browsing in total. If there are still website owners who are relying on Java/Flash in order for their website to run, they are well behind the times. If users have any outrage, they should be venting it against the sites that are still relying on these obsolete web browser plug-ins.

You may also vent some of your rage to Adobe and Oracle for failing to deliver safe software.

[AppleScruff1]

If Apple says you don't need flash, you don't need it. Even if you do.

[iMikeT]

Quote:

Originally Posted by MyNameIsDave

You don't need to reboot your iMac because of this, you just need to restart Safari after upgrading Flash.

Actually, I do because I'll have to log into my admin account to install updates and such. The user account I use does not have admin privileges for obvious reasons. Then there's the OCD of rebooting after updates and such from the early days of computing.

[HenryDJP]

Quote:

Originally Posted by GenesisST

Tired of people on their high horses... (In response to all the "Why does anybody uses Flash anymore...")

I have a 7 year old that likes some little games, which happen to run on flash, once in a while.

Also, I like Bluray, occasionally buy a CD and actual books! It is "iTouch" and not iPod Touch and the galaxy is kind of an iPad...

There! Must have annoyed a good deal of nerds here, so we're even now...

I can now relax...

(That wasn't trolling, just venting... )

Which was really unnecessary because Apple didn't block the recent Flash update, they blocked the older version. You're kids can still play their little games just fine.

[scifiman]

Quote:

Originally Posted by pmhparis

it has it's own problems but the fact that few people have it installed has made it a less visible target. Ask yourself this: Do you really need Silverlight? The answer is extremely rarely yes so why augment the ways you can be remotely hacked.

You do for netflix :/

[ksgant]

Quote:

Originally Posted by autrefois

Apple needs to stop blocking software. If they want to display a warning, fine. But for people who rely on their computers to do actual work, it isn't acceptable for them to keep disabling software that many people use and need on a daily basis. Inform people of the vulnerability and give them the option of disabling it.

Or, you know, you can just keep using your computer without any knowledge that Apple even did this.

I honestly didn't know they had blocked flash because I was merrily chugging right along with Chrome...which has it's own internal Flash-player that's updated all the time (and was already updated by the time I even heard about all this). I don't have Flash normally loaded, so on the very rare occasions that I use Safari, it wouldn't see a Flash plug-in anyway.

But anyway, my point is that their blocking won't totally stop people from using their computers and working around it. Just as the Java block didn't stop me from working, and I use Java all the time.

[blackhand1001]

Apple needs to stop blocking java and flash. I have been getting calls left and right that people can't use certain websites for their jobs.

[SeaFox]

Quote:

Originally Posted by scaredpoet

Quote:

No, people need to stop making users "do actual work" using poor platform choices and insecure software.

What a stupid response.

1. People usually don't get a choice in what they have to work with. Or do you often tell your boss that you can't use the company's software because it has Flash and he's hunky-dorry with that reason?
2. Why do you think it's okay for Apple to randomly turn off functionality from one day to the next, regardless of what the functionality may be tied to, with no user input? WHOSE COMPUTER IS IT?

[sulliweb]

If Macs are so secure, with so few, if any, ways to exploit them, what's Apple's deal with blocking Java and Flash?

Not trying to stir up anything, but that's always the cry of the true fanboys is that Macs are impervious to that stuff, isn't it? If that's the case, what's the problem?

Again, not trying to stir anything up, just trying to understand. This seems more like a vendetta against companies than a true need to block software. Or am I missing something? (As that is always a possibility.)

Just a respectfully asked question.

[FloatingBones]

Quote:

Originally Posted by sulliweb

If Macs are so secure, with so few, if any, ways to exploit them, what's Apple's deal with blocking Java and Flash?

That's simple. Java and Flash in browsers are the primary vector for malware into Macs. Blocking versions of Flash/Java known to have vulnerabilities helps keep Macs secure. It also encourages decision-makers to eliminate Flash and Java code from their servers.

Quote:

Again, not trying to stir anything up, just trying to understand. This seems more like a vendetta against companies than a true need to block software. Or am I missing something? (As that is always a possibility.)

You're definitely missing something.

You also missed something else in this discussion: Apple allows a way to override their malware checking. Look at my earlier message in the discussion.

Quote:

Originally Posted by SeaFox

People usually don't get a choice in what they have to work with. Or do you often tell your boss that you can't use the company's software because it has Flash and he's hunky-dorry with that reason?

Employers have a responsibility to provide a safe workplace. Individual workers have a responsibility to report hazards in the workplace. That now includes hazards in the e-workplace.

Quote:

Why do you think it's okay for Apple to randomly turn off functionality from one day to the next, regardless of what the functionality may be tied to, with no user input? WHOSE COMPUTER IS IT?

1. They don't randomly turn off Flash/Java. They turn off old versions when a threat in the wild has been identified.
2. It is your computer; you just don't understand it. Apple allows users to override their malware checking and disabling of Flash/Java.
   
   Preferences -> Security and Privacy -> [Enter password to unlock] -> Advanced -> Uncheck "Automatically update safe downloads list"

[John.B]

Quote:

Originally Posted by blackhand1001

Apple needs to stop blocking java and flash. I have been getting calls left and right that people can't use certain websites for their jobs.

Then tell the "people" (no, I'm sure you aren't making them up) to upgrade to the current version of Flash. Firefox disables old versions of Flash too.

Quote:

Originally Posted by sulliweb

If Macs are so secure, with so few, if any, ways to exploit them, what's Apple's deal with blocking Java and Flash?

Not trying to stir up anything...

Again, not trying to stir anything up...

Just a respectfully asked question.

The only thing that seems to make a Mac insecure is Java or Flash (or PDFs if you don't use the built-in PDF engine). Because, by design, Java or Flash are given the proverbial keys to the kingdom. Java hacks almost universally take advantage of vulnerabilities in Java's own sandbox.

The way to fix that is to enforce mandatory sand-boxing on all applications at the OSX level, but today's hysterics are nothing compared to the wailing you'll see if that ever happens.

[Yamcha]

Millions of website still rely on Adobe Flash. I don't have a problem with abandoning flash, but at this time there are still big websites that rely on Adobe Flash.

Youtube is one of them, the HTML5 version is still not in the final stages, and has lots of issues, so I'm forced to use Adobe Flash in that case..

[John.B]

Quote:

Originally Posted by Yamcha

Millions of website still rely on Adobe Flash. I don't have a problem with abandoning flash, but at this time there are still big websites that rely on Adobe Flash.

Youtube is one of them, the HTML5 trial is still not in the final stages, and has lots of issues, so I'm forced to use Adobe Flash in that case..

Only older, vulnerable versions of Adobe Flash stopped working.

The fix was to update to the current version.

[FloatingBones]

Quote:

Originally Posted by Yamcha

Millions of website still rely on Adobe Flash. I don't have a problem with abandoning flash, but at this time there are still big websites that rely on Adobe Flash.

Attacks by malware are a major security threat for our country, and Flash/Java are a major vector for malware.

Exactly what is it going to take for those companies hosting those websites to get a clue they should stop relying on Flash/Java?

Quote:

Youtube is one of them, the HTML5 version is still not in the final stages, and has lots of issues, so I'm forced to use Adobe Flash in that case..

Exactly. What is taking Google so long? It's getting to the point that their relying on Flash is rather ... unpatriotic.

[musicpaladin]

Quote:

Originally Posted by fahlman

You must not be an administrator in the enterprise or you would know that no administrator does anything to thousands of computers manually.

Also, Apple did not block Flash until there was a updated version with this security hole closed.

Excuse me. I am one of the administrators (though not of as many systems as that) of a network which is mixed Mac/Windows network. Apple's enterprise system management leaves MUCH to be desired especially in a mixed environment. It is much easier and more trivial to push out a group policy than one of these commands. It would help if Apple's AD integration worked halfway decently.

Apple DID block Java before their update was released and that's a bigger problem. That's what I was referring to. I agree that it's okay to block something that is being exploited IF a patch has ALREADY been released for a period of time to allow it to be thoroughly tested and pushed out. But this "oh noes theres an exploit!" and then blocking it UNTIL Java releases an update is just not realistic in a working environment.

----------

Quote:

Originally Posted by HenryDJP

Are you serious? . OMG. I.T departments (although would love to have reasons to keep their jobs) want as little to do with cleanups of company computers as possible. I know this first hand.

Of course this would never fly on a "Microsoft Product", that's why hackers love to target Windows, because they KNOW Windows over the years has had serious security holes and rather than attempting to block hackers Microsoft has just patched holes. That helps no one.

Funny though, reports last year said Apple's care for security on their systems had dropped. Now they are analyzing software that's trying to be installed on their systems that may/will compromise the user's security/privacy, they find the flaw and then block it. If you find this is poor business then do away with your Macs and stay on Windows since Microsoft does what you want them to do.

We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole. Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.

Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?

[FloatingBones]

Quote:

Originally Posted by musicpaladin

Um.... blocking exploits should be done at the liberty of the administrators, not by the manufacturer. That's the business's decision to make. Not Apple's. If Apple is serious about continuing to claim to serve the Enterprise market (which they have repeatedly shown more and more that they are completely inept at) then they will cease this practice immediately.

Um... Apple does allow the administrators to turn off the malware-blocking options if they choose to do that. The checking is turned on by default, and that's definitely the right decision.

Did you do any research before making this post? It took me about 2 minutes to find the checkbox.

Quote:

In the business world, when you have several thousand workstations on your network, it is unacceptible and impractical to ask an administrator to manually have to disable a block.

This option has been in OS X for several years. If admins wish to override the default [safe] behavior, they should have already done it a long time ago.

Quote:

And for some businesses, 1-2 hours is too long. What if you are in medicine and your medical database uses a Java based client? Someone could die if you lose access to these records for 1-2 hours.

WTF would someone need to use Java code in the client browser in order to access a medical database? This hypothetical is also a FAIL.

Quote:

This would NEVER fly on a Microsoft product.

What exactly is the "this" you're talking about? Why do you presume that some company couldn't override the malware option if they chose to do that?

Quote:

If this is what people will have to expect from Apple, then they will not use their products for the Enterprise.

Your message makes no sense. Your "this" is based on misconceptions and failed hypotheticals.

Quote:

Apple continues to play God and show an arrogance towards the Enterprise about their needs.

How, exactly? Any personal user who wishes to can override the option. And any enterprise that wishes could also override that option enterprise-wide. Simple.

Your complaints are groundless.

Quote:

Originally Posted by musicpaladin

We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole.

Then you have an obvious choice: disable Apple's real-time updating of the malware database.

Quote:

Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.

Then the answer is simple. Override the default, and make your Macs more promiscuous.

Quote:

Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.

Here's a different perspective: using vendors which continue to use something as broken as Java in web browsers holds the risk of crippling your entire organization. Your company sounds ripe for a spear phishing attack.

Quote:

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?

If you have proper planning in your organization and have decided that allowing zero-day attacks from Java and Flash is your preferred means of operating, you would have already changed that security option on the Macs in your enterprise.

Here's a question for you: how long will it take before your company realizes that Java/Flash in web clients is a terrible idea and you will phase them out?

[GenesisST]

Quote:

Originally Posted by HenryDJP

Which was really unnecessary because Apple didn't block the recent Flash update, they blocked the older version. You're kids can still play their little games just fine.

I was not complaining about Apple's blocking of older version, which is fair. I was complaining about the smug comments of some of members like "who uses flash anymore".

It seems that in every thread like this one, there's a smug comment like that. :-)

[Jessica Lares]

I haven't even used Flash in the last year to even notice that they were blocking it.

[nagromme]

Quote:

Originally Posted by autrefois

It is the consumer's responsibility to make sure their computer is safe. Popping up a warning before running it would be more than sufficient.

Obviously not, as Windows has shown.

And if your workplace depends on Flash (?) and wants a browser that has leaves security holes open, then a) they may need to rethink some things and b) they can just use a different browser, and their IT staff is surely trained enough to know Chrome exists. They also should know about Apple's security setting they can uncheck for this... as well as why they should leave it turned on.

Apple DOES leave you with options after all... use Safari if you want security and stability above all. Use something else if you want Flash web pages without having to live under the fear that one day it might stop working temporarily until Adobe issues a fix (even though that dire problem didn't even happen today).



As for who uses Flash? Anyone who wants to deploy high-end interactive content cost-effectively and reliably. I work in Flash all the time because there often is no viable alternative. I use HTML5/JavaScript when possible, to reach mobile, but it just can't be used all the time. HTML5/Javascript CAN be an alternative, but for complex stuff it's either far more time-consuming and expensive, or else simply can't reach as many people. Those are real-world problems with no easy fix, so Flash is here to stay, for now. (And yes, for silly LOW-end stuff like ads as well. But that's not the lasting strength of Flash.) Flash is dying, even on the desktop, but not quickly.

[HenryDJP]

Quote:

Originally Posted by GenesisST

I was not complaining about Apple's blocking of older version, which is fair. I was complaining about the smug comments of some of members like "who uses flash anymore".

It seems that in every thread like this one, there's a smug comment like that. :-)

Well I agree with you wholeheartedly and my apologies for misunderstanding you. Before Flash took off all that was used for media streaming was Windows Media Player and it ran terribly on the Mac, of course MS made sure of that. . When Flash came around and started becoming the norm I highly welcomed it and I still do. It is quite a resource hog but I am far from trashing it as others seem to.

[FloatingBones]

Quote:

Originally Posted by musicpaladin

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?

If some company has a mission-critical app that uses Java or Flash in the browser, they already know how to:

1. Use Chrome to get access to Flash/Java
2. Override Apple's real-time checking for malware.

Since I presume the [hypothetical] company has competent admins, I don't have to tell them anything at all.

You can say it as many times as you like; it's impossible for Apple to "flip a switch" that makes some app inaccessible. They allow computer owners to control their machines. You have a poor grasp of the issue; your hypothetical makes absolutely no sense.

[runebinder]

Quote:

Originally Posted by iMikeT

Actually, I do because I'll have to log into my admin account to install updates and such. The user account I use does not have admin privileges for obvious reasons. Then there's the OCD of rebooting after updates and such from the early days of computing.

First off you do not have to reboot to log into an admin account, you could either log out of the account you are in or do user switching.

Secondly you can still give installers admin rights when you're in a standard account, when it asks for a name and password enter the admin account details, update will proceed as normal.

Finally there is no need to restart after an update unless a message appears telling you to restart in order to finalise the install.

[HenryDJP]

Quote:

Originally Posted by musicpaladin

[/COLOR]

We don't want to be cleaning up computers, but we also don't want apple flipping a switch and instantly rendering the tools that we use on a day to day basis instantly inoperable indefinitely while there is no update available to patch the hole. Users (at least the ones that work for us) are far more irritated when the whole organization can't do their day to day job than individual isolated computers being compromised.

Disabling third party software such as Java is not increasing security. It's called crippling someone else's system.

I say again: suppose a company uses a java based tool. Apple flips a switch and makes it useless. What would you tell them?

Apple can't just "Flip a Switch". It's not like they can do it behind your back. A software update is required and they do provide the notes on what the software update is about and what it will do before you attempt to install. Couple that with you having the option to install what you want. For example, if your I.T. department sees a multiple software update for OS X ML which includes, Safari, OS X, Flash and the like. If systems are working fine then there's no reason to hit the software update button. If your I.T. department doesn't read the docs before allowing a software update then they are not doing their job. Plain and simple.

[FloatingBones]

Quote:

Originally Posted by HenryDJP

Apple can't just "Flip a Switch". It's not like they can do it behind your back. A software update is required and they do provide the notes on what the software update is about and what it will do before you attempt to install.

Actually, Apple is installing the updated plist file on the fly with no approval or install procedure by the customer. It is not like a software update!

That said, the "flip a switch" claim is still wrong: you can turn off the entire malware-list updating procedure. Apple will allow you to run your Macs without a net if you wish...

[blacktape242]

Quote:

Originally Posted by Fresh Pie

My poor keyboard, you make me smash.

I just want to eat hash....