Apple Updates Mac OS X 10.5 Leopard with Flashback Removal Tool, Flash Player Disabler

[vohdoun]

Does anyone know if YouTube works without Flash on a Mac? I know it works for iOS. If it works on a Mac, I'm tossing Flash.

Yes. It's not meant to be insulting but I'm shocked that PPC users did not know this.

Safari 5 user? Use this. Been using it for years. http://www.verticalforest.com/youtube5-extension/

Plus if you have a Youtube account, register on the HTML5 beta. http://www.youtube.com/html5

If you want to take it further, Safari Menu > Safari extensions Gallery > Entertainment section > clea.nr Videos for YouTube™ (choose to remove comments, and watch videos with dim lights feature) http://clea.nr/ I love it.

There's not a video I've not come across I cannot watch. Except the ones that are so blocky due to how old they were made before all the HD media. Just poor bitrate.

 

[jonnysods]

Wow, that shows some love to the older OS users. Didn't expect this!

 

[Liquidus]

Downloaded both updates on my Dual G5 (10.5.8) and neither work

Left out again...

 

[Sackvillenb]

Well, I'm somewhat surprised that apple rolled this out for older users, but I'm very glad they did. Seems like they're starting to take security more seriously. Hopefully this trend will continue. Apple will only become a bigger target for security breaches...

 

[iDuel]

Downloaded both updates on my Dual G5 (10.5.8) and neither work

Left out again...

PPC Macs are immune to this malware, thus the flashback remover would have been pointless.

 

[zorinlynx]

There are no Intel Mac that cannot run Snow Leopard. Apple only started deprecating Intel Macs with Lion.

Therefore, there's no reason why these people can't just move to Snow Leopard and thus have the latest updates. Hell, you can get a copy of Snow for almost nothing right now from people who have upgraded to Lion, so there's no excuse.

It would be nice to have security updates for Tiger, since that was the last release to support PowerPC... but how far do you want to go back? If you make this argument Apple would have to support Macs going all the way back to 1984. Hell, ProDOS probably has a few security holes too; let's get patches out for our fifteen remaining Apple II users!

Huzzah!

More importantly, those Intel Mac users still on Leopard.

 

[repoman27]

What about all Mac OS X 10.4 Tiger users? Left in the cold?!

Downloaded both: FlashbackRemovalUpdate.dmg, SecUpd2012-003.dmg

Neither will run on Power PC G5 System running Leopard 10.5.8.

Looks like we're left out again. :\

The Flashback first-stage downloader is a Mach-O binary that has been detected in both 32 and 64-bit versions, but is not Universal. It only runs on Intel, and it also does not appear to be able to run on Tiger.

Tiger and PPC Leopard never had Java SE 6, which is where the security vulnerability has been reported to be. Does Flashback even work on Java 1.4 and/or Java SE 5? Tiger and PPC Leopard may actually have the advantage of security through obsolescence.

Flashback exploits multiple Java vulnerabilities including:

CVE2008-5353 (versions affected: 6 Update 10 and before, 5.0 Update 16 and before, and 1.4.2_18 and before / patched by Java for Mac OS X 10.4 Release 9 and Java for Mac OS X 10.5 Update 4)

CVE2011-3544 (versions affected: 7, and 6 Update 27 and before / Tiger not affected, Leopard vulnerable)

CVE2012-0507 (versions affected: 7 Update 2 and before, 6 Update 30 and before, and 5.0 Update 33 and before / Tiger and Leopard vulnerable)

The good news is that PPC Macs aren't susceptible at all. The bad news is that this has been very poorly documented by Apple.

By my personal reckoning, I'd say that the only meaningful vulnerability hole left to check on would be to see if Intel Macs running Tiger might be susceptible. As per commander.data's post (above), the thing to check on may be to see if Flashback can exploit versions of Java prior to SE 1.6. If the answer's no, then all systems are plugged.

Once again, it would be very helpful for Apple to publish a table of what configurations are/aren't susceptible...and for the susceptible ones, indicate which ones have now been patched.

Dr. Web's analysis of data collected when they were able to sinkhole Flashback's C&C server for a few days did not include any infected machines reporting versions of Mac OS X prior to 10.5.0. While it may be trivial for the authors to recompile the binary to run on Intel Macs under Tiger, the very small number of potential targets would make this event unlikely.

Note that although Apple has provided Flashback removal tools for all affected systems at this time, they did not actually provide updated versions of Java for Leopard with the latest round of security updates. Those vulnerabilities are still present and exposed to future exploits in any browser with Java enabled.

 

[justperry]

Yes. It's not meant to be insulting but I'm shocked that PPC users did not know this.

Safari 5 user? Use this. Been using it for years. http://www.verticalforest.com/youtube5-extension/

Plus if you have a Youtube account, register on the HTML5 beta. http://www.youtube.com/html5

If you want to take it further, Safari Menu > Safari extensions Gallery > Entertainment section > clea.nr Videos for YouTube™ (choose to remove comments, and watch videos with dim lights feature) http://clea.nr/ I love it.

There's not a video I've not come across I cannot watch. Except the ones that are so blocky due to how old they were made before all the HD media. Just poor bitrate.

Thanks for the advice.
There is a problem though, safari Extensions is really Slooooowwwww on my powerbook G4 1.67 Ghz, switching it on doesn't take long but as soon as it's on there's a lot of lag in Safari.
When I am tired of extensions (which is almost always the case) and switch it of there is a lot of paging going on, 100s of thousands of pageouts and it takes 5-10 minutes before I can use Safari again.

There are no Intel Mac that cannot run Snow Leopard. Apple only started deprecating Intel Macs with Lion.

Therefore, there's no reason why these people can't just move to Snow Leopard and thus have the latest updates. Hell, you can get a copy of Snow for almost nothing right now from people who have upgraded to Lion, so there's no excuse.

It would be nice to have security updates for Tiger, since that was the last release to support PowerPC... but how far do you want to go back? If you make this argument Apple would have to support Macs going all the way back to 1984. Hell, ProDOS probably has a few security holes too; let's get patches out for our fifteen remaining Apple II users!

Huzzah!

Nonsense, Leopard is the last version which runs on PPC, I am running 10.5.8 on G4 PPC.


MacRumors (Update article please) and Apple should be more clear that this is NOT for PPC.
But I didn't have problem with it, just didn't show up in Software Update, then I knew.

Edit : How many Leopard users are there, I think there are more PPC on Leopard than on Intel.

 

[faroZ06]

Yes. It's not meant to be insulting but I'm shocked that PPC users did not know this.

Safari 5 user? Use this. Been using it for years. http://www.verticalforest.com/youtube5-extension/

Plus if you have a Youtube account, register on the HTML5 beta. http://www.youtube.com/html5

If you want to take it further, Safari Menu > Safari extensions Gallery > Entertainment section > clea.nr Videos for YouTube™ (choose to remove comments, and watch videos with dim lights feature) http://clea.nr/ I love it.

There's not a video I've not come across I cannot watch. Except the ones that are so blocky due to how old they were made before all the HD media. Just poor bitrate.

Ah, forgot about HTML5. I've actually used it before, and it's kinda bad. I want to be able to watch it in a Quicktime element (or better yet, in Quicktime Player like Click2Flash used to let me do).

 

[Mr. Retrofire]

Some sites like youtube switch to h264 video if flash isn't there.

You mean HTML5 video via WebM (Chrome & Firefox) and MP4 (MSIE & Safari). Flash videos on youtube use already a H.264 stream, AFAIK. WebM files use VP8 streams, and MP4 files use H.264 streams (like many FLV files). Other sites use VP6 streams inside FLV files.

More info & YOUTUBE HTML5 preferences:
http://www.youtube.com/html5
.

----------

There's not a video I've not come across I cannot watch. Except the ones that are so blocky due to how old they were made before all the HD media. Just poor bitrate.

Not just bitrate. Probably a low quality encoder and/or wrong encoding settings.

----------

Well, I'm somewhat surprised that apple rolled this out for older users...

How old are they, the users? ;-)

 

[Northgrove]

Tiger and PPC Leopard never had Java SE 6, which is where the security vulnerability has been reported to be. Does Flashback even work on Java 1.4 and/or Java SE 5? Tiger and PPC Leopard may actually have the advantage of security through obsolescence.

Sorry, it was just a joke. Yes, that's an interesting angle on this. And to be honest, I think Apple is doing the right thing here, since I figure many of those infected belong to those who rarely update, i.e. those still on Leopard.

 

[InuNacho]

Apple should continue to support all older software, Classic, etc because there is a lot of legacy data and wonderful older educational software that has never been ported over to Intel/OSX. Shame on Apple for destroying all that great stuff. It isn't like they lack the resources. Greed is all that holds them back.

I don't understand why anyone would downvote this, the sheer amount of Classic software that never made and never will make the transition is truly heart-wrenching.

I wouldn't call it greed at all. It's very difficult to maintain technologies like that, and when you try to keep perfect backwards compatibility, you end up with something like Windows, which has had the same fundamental win32 API since the early '90s (and it shows).
That said, I wholeheartedly agree that Apple should try to support these platforms for longer.

It's gotten to the point where all the Macs currently on the market should at least be able to emulate a G4 running OS 9. Apple should just sell us an official OS 9 emulator called "Classic Mac" or something on the App Store.

 

[laflores]

What about all Mac OS X 10.4 Tiger users? Left in the cold?!

Yes... But why stop there? What about people running System 7, 8 and 9?? Stupid Apple...

 

[GermanyChris]

You can't get an up-to-date version of Flash Player for a PPC Mac and without Flash content access you may as well toss it in the trash. I know PPC systems can hardly render Flash content but still ....

Yea because I can't watch 720p movies on my G5 through Amazon or Hulu which are flash based

 

[-hh]

Wow, that shows some love to the older OS users. Didn't expect this!

and:

I'm surprised. Usually, Apple doesn't support their older OSs. Leopard is almost 3 behind (with Mountain Lion coming out soon). Even iMessage isn't going to work in Lion..

Frankly, I expected nothing less than continuing support for Leopard.

That Leopard has been superceded by newer OSs twice is irrelevant to my expectations: my expectations are based on the fact that it has still been less than 5 years since Leopard was superceded.

Let us not forget that Apple's published support policy for their hardware is 5 years after it has been discontinued ...

... and let us review the history book: it says that Leopard was superceded by Snow Leopard in Aug 2009 ... and yes, that's less than 3 years ago.

Do you really consider "worse than 3 years" worth of OEM support for an OS to be acceptable to you? I don't.

Yes. It's not meant to be insulting but I'm shocked that PPC users did not know this.

Understood, but blame Apple, because any PPC customer who went to Apple's support pages will find that Apple is silent on it: 1 2 3 4 5

There are no Intel Mac that cannot run Snow Leopard. Apple only started deprecating Intel Macs with Lion.

Therefore, there's no reason why these people can't just move to Snow Leopard and thus have the latest updates. Hell, you can get a copy of Snow for almost nothing right now from people who have upgraded to Lion, so there's no excuse.

Incorrect. What you wrote may be true for a home user, but when it comes to Enterprise customers, the local IT Dept sets policy for what OS versions are approved & supported, and their review and approval of their "Golden Master" version takes time.

For example, my current Windows PC is running VISTA today, because our Corporate IT has not yet approved Win7 for deployment (and Win7 came out before Snow Leopard).

It would be nice to have security updates for Tiger, since that was the last release to support PowerPC... but how far do you want to go back?

A minimum of 5 years since the product was discontinued ... is my expectation. This policy would allign and be consistent with Apple's published hardware support policy of 5 years.

If you make this argument...let's get patches out for our fifteen remaining Apple II users!

Understood, but based on usage stats from last month (April 2012), and until-this-week's-patch-to-Leopard, the percentage of the Macintosh installed base who were unsupported ... for a SECURITY ISSUE ... was as much as 20%.

Ignore 20% of your customers at your own peril.

MacRumors (Update article please) and Apple should be more clear that this is NOT for PPC...

Agreed. The news does need to get out there better for PPC customers.

Edit : How many Leopard users are there, I think there are more PPC on Leopard than on Intel.

Based on the April 2012 Hitslink usage stats (& rounded off):

40% - Lion
40% - Snow Leopard
15% - Leopard
5% - Tiger

Now that Leopard has a patch, the percentage of the customer base that's potentially at risk (after full patch deployment) would be just the 5% on Tiger.

However, what's not evident from these stats is the underlying hardware that the OS is running on, namely PPC vs Intel.

Since the vulnerable remaining machines would be just the "Tiger Intel" Macs, my personal guess would be that "Tiger PPC" Macs probably outnumber "Tiger Intel" Macs by at least 4:1, so it is probably <1% of the installed Mac base which could be the "Tiger Intel" Macs which may be susceptible.

Since patch deployments are rarely 100% anyway, I think that what Apple has done is adequate ... finally.


-hh

 

[repoman27]

Now that Leopard has a patch, the percentage of the customer base that's potentially at risk (after full patch deployment) would be just the 5% on Tiger.

Check my previous post. Apple has not released a "patch" for Leopard.

The Flashback Removal Security Update is not a Java update, Leopard systems are still vulnerable to the same type of exploits.

The known Flashback variants do not run on Tiger, but the key Java vulnerability exploited by Flashback does exist on these systems.

And for those that missed this one too:

Flashback will not run on PPC Macs, nor will the Flashback Removal Security Update.

 

[MagnusVonMagnum]

The best choice is to uninstall the Flash, and install Google Chrome - which has a built-in Flash,
separated from Safari and other browsers. And then, when you need Flash, just launch Google Chrome.

That sounds like a lot of fun. Quit your browser every time you need to use Flash and load up Chrome (If I liked Chrome I'd already be using it).

I like how Apple is disabling functionality in their OS (i.e. turning off the Java plug-in; too bad if you like playing cards on Yahoo Games or something) and then forcing YOU to go out of your way to look up how to turn it back on. How about a freaking SWITCH that asks you whether you WANT it disabled when they run that update rather than just screwing the user over by messing with his system without his permission. Is Apple even AWARE that THERE IS NO NEWER FLASH FOR 10.5!!!! So they kill ALL Flash support if you run that update. Stay the hell away from it! I'm starting to think Apple is the freaking malware.

 

[cjmillsnun]

That sounds like a lot of fun. Quit your browser every time you need to use Flash and load up Chrome (If I liked Chrome I'd already be using it).

I like how Apple is disabling functionality in their OS (i.e. turning off the Java plug-in; too bad if you like playing cards on Yahoo Games or something) and then forcing YOU to go out of your way to look up how to turn it back on. How about a freaking SWITCH that asks you whether you WANT it disabled when they run that update rather than just screwing the user over by messing with his system without his permission. Is Apple even AWARE that THERE IS NO NEWER FLASH FOR 10.5!!!! So they kill ALL Flash support if you run that update. Stay the hell away from it! I'm starting to think Apple is the freaking malware.

Flash is Adobe's responsibilty. If they cannot be bothered to produce a bug free version for a relatively modern OS then that isn't Apple's fault. By disabling a plugin that is buggy and can cause harm to your computer Apple is doing the right thing IMO.

 

[AppleMacFinder]

That sounds like a lot of fun. Quit your browser every time you need to use Flash and load up Chrome (If I liked Chrome I'd already be using it).

I like how Apple is disabling functionality in their OS (i.e. turning off the Java plug-in; too bad if you like playing cards on Yahoo Games or something) and then forcing YOU to go out of your way to look up how to turn it back on. How about a freaking SWITCH that asks you whether you WANT it disabled when they run that update rather than just screwing the user over by messing with his system without his permission. Is Apple even AWARE that THERE IS NO NEWER FLASH FOR 10.5!!!! So they kill ALL Flash support if you run that update. Stay the hell away from it! I'm starting to think Apple is the freaking malware.

Google Chrome's built-in Flash is the latest version.
So, it is possible to use the latest Flash on 10.5 by using Google Chrome.

Flash is becoming obsolete and unnecessary, since nearly all Youtube videos are already converted to HTML5.

 

[vohdoun]

Understood, but blame Apple, because any PPC customer who went to Apple's support pages will find that Apple is silent on it: 1 2 3 4 5

-hh

It was regarding html5 playback, not this malware. Saying that, this has been so late in addressing all this, even if it's for Intel users. This all happened what, months ago? once all the exploits started revealing before this Flashback, thats when I started disabling plugins/java. More or less around the time when the Flash player hack came about for PPC users to view on Facebook and such. Even still, I barely use the plugin(s).

Thats why I thought this was such a good read. http://tenfourfox.blogspot.co.uk/2012/05/security-blanket-blues.html

Apple really isn't proactive at all.

Flash is Adobe's responsibilty. If they cannot be bothered to produce a bug free version for a relatively modern OS then that isn't Apple's fault. By disabling a plugin that is buggy and can cause harm to your computer Apple is doing the right thing IMO.

It is their fault in how long it took to deal with all this.

http://itaideurope.com/2012/04/apples-flashback-problem-worse-then-better/

13th of April? and they're only dealing with disabling plugins now? send the coastguard out once your ship has sunk.

I like how Apple is disabling functionality in their OS (i.e. turning off the Java plug-in; too bad if you like playing cards on Yahoo Games or something) and then forcing YOU to go out of your way to look up how to turn it back on. How about a freaking SWITCH that asks you whether you WANT it disabled when they run that update rather than just screwing the user over by messing with his system without his permission. Is Apple even AWARE that THERE IS NO NEWER FLASH FOR 10.5!!!! So they kill ALL Flash support if you run that update. Stay the hell away from it! I'm starting to think Apple is the freaking malware.

It's a simple check box. Utilities > Java Preferences. There's only one app I use that requires it. 99.9% of the time I keep it off.

 

[Danielo]

Apple should continue to support all older software, Classic, etc because there is a lot of legacy data and wonderful older educational software that has never been ported over to Intel/OSX. Shame on Apple for destroying all that great stuff. It isn't like they lack the resources. Greed is all that holds them back.

It's a shame, that such comments get bad ratings.

 

[MagnusVonMagnum]

Flash is Adobe's responsibilty. If they cannot be bothered to produce a bug free version for a relatively modern OS then that isn't Apple's fault. By disabling a plugin that is buggy and can cause harm to your computer Apple is doing the right thing IMO.

Well, I'd agree with you except that Apple's own tactics to more or less 'encourage' people to upgrade to newer computers and versions of the operating system (so much so that a vast majority has often upgraded within a year of release, at least where possible), it doesn't leave a lot of market for these companies to bother to support older computers and operating system versions. Apple then compounds the problem by removing support for older OS (and PPC) in their development tools, leaving authors with the choice of maintaining two trees, using only old tools or ditching the older systems. Guess which one they often choose?

As for Flash being buggy, I never had any trouble with it on my PPC machine an the idea that malware authors are going to target such a small percentage of the market (PPC), I doubt there's much to worry about there. But having NO Flash at all definitely affects the number of sites you can view or view fully. I'm planning on replacing my PPC server with a new Mac Mini if they'd ever get around to adding USB3 to it, but in the mean time, I still surf a lot on that machine and I'd like sites to continue to function (TenFourFox is at an end for proper support as well so the machine is becoming unusable as time goes on. I'm lucky the latest iTunes version is available and stable on it as several were not stable just on PPC).

I'll say one thing for Microsoft over Apple and that is they continue to support older versions of their operating system. Apple ditched support for Leopard pretty quickly and PPC even more so once Leopard came out (i.e. Snow Leopard wasn't that long in the making and ditched PPC like a bad dream and just when Universal binaries were becoming a very standard sort of thing. My PPC server (upgraded to 1.8GHz) is still very usable even in 2012 so I can imagine a Quad Core would be extremely usable. Sadly, it's Apple that makes the hardware obsolete these days, not the other way around.

Google Chrome's built-in Flash is the latest version.
So, it is possible to use the latest Flash on 10.5 by using Google Chrome.

Well, that'd be nice, but my PPC machine gets support for neither for the reasons outlined above (my MBP is running Snow Leopard and doesn't face these issues at this time).

Flash is becoming obsolete and unnecessary, since nearly all Youtube videos are already converted to HTML5.

If you think YouTube is the only thing that uses Flash, you're sadly mistaken. Some of us do things other than watch YouTube all day long.

 

[nagromme]

I'll say one thing for Microsoft over Apple and that is they continue to support older versions of their operating system. Apple ditched support for Leopard pretty quickly and PPC even more so once Leopard came out (i.e. Snow Leopard wasn't that long in the making and ditched PPC like a bad dream and just when Universal binaries were becoming a very standard sort of thing. My PPC server (upgraded to 1.8GHz) is still very usable even in 2012 so I can imagine a Quad Core would be extremely usable. Sadly, it's Apple that makes the hardware obsolete these days, not the other way around.

I feel your frustration—I too hang on to a PPC Mac (or three) for certain old games and my own legacy projects, and dream of a third-party “rosetta” or other PPC emulation approach some day. (Heck, these days you can still run 680x0 Amiga software, so anything’s possible!) But keep in mind two things:

1. You can’t have Apple’s pace of innovation and improvement AND have legacy support for platforms discontinued years ago. What PC OS company offers both? Microsoft does not. Microsoft does often offer legacy support longer than 6 years (and Apple sometimes does too) but at a severe cost. If Apple followed Microsoft’s model, today’s Mac OS (and Mac OS on your PPC, even) would not be nearly as good.

2. Remember that Microsoft has never faced switching their entire PC OS to an incompatible processor architecture, like PPC-> Intel. That’s not a burden Apple wanted for themselves or for developers or for users; but it simply had to happen. IBM and Motorola dropped the ball, and Intel got its act together. You can’t say Microsoft has handled that kind of transition better, because they've never had to. (In fact, with tech like Universal Binaries and Rosetta, I’d say Apple stepped up to the CPU transition challenge amazingly well.)

 

[MagnusVonMagnum]

1. You can’t have Apple’s pace of innovation and improvement AND have legacy support for platforms discontinued years ago. What PC OS company offers both? Microsoft does not. Microsoft does often offer legacy support longer than 6 years (and Apple sometimes does too) but at a severe cost. If Apple followed Microsoft’s model, today’s Mac OS (and Mac OS on your PPC, even) would not be nearly as good.

I'm not sure I fully buy that argument because Apple is now the most valuable company on the planet. They have cash reserves that would make an entire state jealous. They could easily afford to hire enough people to take care of legacy hardware and software, at least to a REASONABLE point. Dumping all support ENTIRELY out of the development tools is purposely giving those products the kiss of death. How many times have they left features off iOS products to purposely try and 'encourage' you to buy a new one instead of keeping the old one in use? They're greedy, pure and simple.