Apple patches Safari, blocks outdated Flash Player
Yanks Flash plug-ins older than November 2010 version from browser
Computerworld - Apple on Wednesday patched four security vulnerabilities in Safari and blocked outdated versions of Adobe's Flash Player from running in its browser.
The Flash blocking move was similar to one Apple made last month when it stopped the Java plug-in from launching automatically.
Safari 5.1.7, which runs on OS X 10.6 and 10.7 -- Snow Leopard and Lion, respectively -- as well as on Windows XP, Vista and Windows 7, was released alongside another update for Lion that included a slightly-older version of the browser. Lion users must download and install both updates to push Safari to version 5.1.7.
The four security flaws fixed were the same ones patched Tuesday in iOS 5.1.1 for the iPhone, iPad and iPod Touch. All were labeled as bugs in WebKit, the open-source rendering engine that powers Safari as well as Google's Chrome.
In fact, one of the vulnerabilities was first revealed by a researcher at the "Pwnium" hacking contest Google hosted last March. The researcher, Sergey Glazunov, was awarded $60,000 for pairing the flaw with another bug to bring down Chrome.
Glazunov was credited by Apple with reporting a second WebKit vulnerability, while another was attributed to a pair of engineers on the Chrome security team.
Along with the four patches, Apple also yanked Adobe's Flash Player from Safari if the plug-in was older than version 10.1.102.64, which released in November 2010. Since then, Adobe has shipped Flash Player 11 for the Mac. It has also continued to maintain the older version 10, which now stands at version 10.3.183.19.
"This update disables Adobe Flash Player if it is older than 10.1.102.64 by moving its files to a new directory," Apple's advisory stated Wednesday. "This update presents the option to install an updated version of Flash Player from the Adobe website."
Apple stopped bundling Flash Player with OS X in the fall of 2010, but users have been free to download and install the plug-in on their own. Microsoft last distributed Flash with the nearly-11-year-old Windows XP. Neither Windows Vista or Windows 7 included a preinstalled version of Adobe's software.
Blocking Flash was the second such move by Apple in a month: On April 12, the company issued an OS X update that disabled automatic execution of Java applets by the Java browser plug-in. Apple took the step because of Flashback, a malware family that used a Java vulnerability to infect hundreds of thousands of Macs in a spree that still continues.
"As a security hardening measure, the Java browser plug-in and Java Web Start are deactivated if they are unused for 35 days," Apple said at the time.
Java Web Start is an Oracle technology that lets users single-click launch a Java app from within a browser without first downloading the app to the machine.
And Apple wasn't the only browser maker to recently block Adobe software. On Friday, Mozilla added the Adobe Reader plug-in to its Firefox blocklist, citing compatibility problems that resulted in blank pages appearing when users clicked on a link to a PDF document.
Mozilla maintains a blocklist for extensions or plug-ins that cause significant security or performance issues in Firefox. The browser automatically queries the blocklist and notifies users before disabling the targeted plug-in.
According to Mozilla, it's working with Adobe on a fix to Reader but will keep the plug-in on its blocklist until one is available.
Safari 5.1.7 can be downloaded from Apple's website. Mac users will be notified of the new version automatically by OS X's Software Update, while Windows users already running Safari will be alerted by a separate tool bundled with the browser.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
- Apple hands stock worth $12.1M to top execs in retention deal
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
Read more about Mac OS X in Computerworld's Mac OS X Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Building a Bridge to the Next Generation Data Center Selecting a widely adopted operating system is a foundational component of a standardization strategy.
- OpenStack and Red Hat: IDC White paper Most OpenStack deployments are by public cloud providers that are early adopters of technology and use OpenStack in a do-it-yourself deployment and support...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Mac OS X White Papers | Webcasts