Apple patches Safari, blocks outdated Flash Player
Yanks Flash plug-ins older than November 2010 version from browser
Computerworld - Apple on Wednesday patched four security vulnerabilities in Safari and blocked outdated versions of Adobe's Flash Player from running in its browser.
The Flash blocking move was similar to one Apple made last month when it stopped the Java plug-in from launching automatically.
Safari 5.1.7, which runs on OS X 10.6 and 10.7 -- Snow Leopard and Lion, respectively -- as well as on Windows XP, Vista and Windows 7, was released alongside another update for Lion that included a slightly-older version of the browser. Lion users must download and install both updates to push Safari to version 5.1.7.
The four security flaws fixed were the same ones patched Tuesday in iOS 5.1.1 for the iPhone, iPad and iPod Touch. All were labeled as bugs in WebKit, the open-source rendering engine that powers Safari as well as Google's Chrome.
In fact, one of the vulnerabilities was first revealed by a researcher at the "Pwnium" hacking contest Google hosted last March. The researcher, Sergey Glazunov, was awarded $60,000 for pairing the flaw with another bug to bring down Chrome.
Glazunov was credited by Apple with reporting a second WebKit vulnerability, while another was attributed to a pair of engineers on the Chrome security team.
Along with the four patches, Apple also yanked Adobe's Flash Player from Safari if the plug-in was older than version 10.1.102.64, which released in November 2010. Since then, Adobe has shipped Flash Player 11 for the Mac. It has also continued to maintain the older version 10, which now stands at version 10.3.183.19.
"This update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory," Apple's advisory stated Wednesday. "This update presents the option to install an updated version of Flash Player from the Adobe website."
Apple stopped bundling Flash Player with OS X in the fall of 2010, but users have been free to download and install the plug-in on their own. Microsoft last distributed Flash with the nearly-11-year-old Windows XP. Neither Windows Vista or Windows 7 included a preinstalled version of Adobe's software.
Blocking Flash was the second such move by Apple in a month: On April 12, the company issued an OS X update that disabled automatic execution of Java applets by the Java browser plug-in. Apple took the step because of Flashback, a malware family that used a Java vulnerability to infect hundreds of thousands of Macs in a spree that still continues.
"As a security hardening measure, the Java browser plug-in and Java Web Start are deactivated if they are unused for 35 days," Apple said at the time.
Java Web Start is an Oracle technology that lets users single-click launch a Java app from within a browser without first downloading the app to the machine.
And Apple wasn't the only browser maker to recently block Adobe software. On Friday, Mozilla added the Adobe Reader plug-in to its Firefox blocklist, citing compatibility problems that resulted in blank pages appearing when users clicked on a link to a PDF document.
Mozilla maintains a blocklist for extensions or plug-ins that cause significant security or performance issues in Firefox. The browser automatically queries the blocklist and notifies users before disabling the targeted plug-in.
According to Mozilla, it's working with Adobe on a fix to Reader but will keep the plug-in on its blocklist until one is available.
Safari 5.1.7 can be downloaded from Apple's website. Mac users will be notified of the new version automatically by OS X's Software Update, while Windows users already running Safari will be alerted by a separate tool bundled with the browser.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Apple unveils minor bumps to MacBook Pro laptops
- Feds arrest Florida man who allegedly conned Apple out of $309K
- Yosemite's traffic share triples after public beta debuts
- Apple hasn't exhausted its supply of Yosemite betas
- 13 pieces of advice for Yosemite beta testers
- The other Apple economy: $2B in devices on eBay
- Apple sends users scrambling for OS X Yosemite
- Long replacement cycle drags down iPad sales
- Apple unwraps OS X Yosemite public beta Thursday
- Apple grows Mac sales by 18% on the back of the MacBook Air
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Planning for Mobile Success Many organizations are seeing clear and quantifiable benefits from the deployment of mobile technologies that provide access to data and applications any time,...
- The Challenges and Opportunities of Mobile Application Development Nearly all business users now demand mobile devices--their own or company-owned--along with anywhere access to corporate applications and data. What turns mobile devices...
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily...
- On Demand: Mastering the Art of Mobile Content Management Mobile device usage in the enterprise has skyrocketed, and it continues to escalate. IT must answer to users who demand access to their... All Mac OS X White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!