Adobe's security chief praises Apple for Flash-crippling move
Applauds feature in Safari that removes old copies of the popular plug-in
Computerworld - Adobe's head of security yesterday applauded Apple's move to block outdated versions of his company's Flash Player.
"We welcome today's initiative by Apple to encourage Mac users to stay up-to-date," said Brad Arkin, Adobe's senior director of security, products and services, in a post to the company's secure engineering blog.
Arkin was referring to Wednesday's update of Safari, Apple's browser, that patched four vulnerabilities and instituted a new feature that pulls out-of-date copies of Flash Player from the system, forcing users who want to view Flash content to upgrade to the current version of the browser plug-in.
Safari 5.1.7, which runs on OS X Snow Leopard and Lion, as well as on Windows XP, Vista and Windows 7, cripples any copy of Flash older than 10.1.102.64, which shipped in November 2010.
Safari alerts the user, then points him or her to Adobe's download site, where the latest version of Flash Player is available.
"A thank you to the security team at Apple for working with us to help protect our mutual customers," Arkin added.
Arkin's appreciation for Safari's Flash blocking stood in contrast to past disputes between Apple and Adobe over the media player.
In 2010, former Apple CEO Steve Jobs trashed Flash as unsuitable for mobile devices because it was slow, drained batteries and posed security problems.
Weeks earlier, the bickering between the two companies -- sparked by Apple's decision to ban Flash from its iOS platform, including the then-anticipated iPad -- reached new heights when an Adobe evangelist told Apple to "Go screw yourself."
One result of the quarrel came in the fall of 2010, when Apple stopped bundling Flash Player with OS X. Since then, users have had to download and install the plug-in on their own.
Adobe has been putting more effort into keeping Flash up to date, work that Arkin considered critical to protecting users from the regular exploits, many of them used to target individuals in high-profile industries like defense, that appear in the wild.
"The vast majority of users who ever encountered a security problem using Adobe products were attacked via a known vulnerability that was patched in more recent versions of the software," Arkin asserted. "This is why we've invested so much in the Adobe Reader/Acrobat update mechanism introduced in 2010, and more recently in the Flash Player background updater delivered in March."
As Arkin said, Flash Player 11.2 on Windows silently updates the software; a Mac version with the same functionality is now in beta, with a planned final code release between now and June 30.
Adobe has also "sandboxed" Flash Player in Chrome on Windows, and has released a preview of a sandboxed plug-in for Mozilla's Firefox, also on Windows. The company has no intention of sandboxing the browser plug-in for OS X's Safari, however.
Mac users who want to test drive Flash Player 11.3, the version with silent updating, can download it from Adobe's website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.
- Hands on: Apple's Mac Pro is the fastest Mac ever
- Apple CFO to retire in September after he cashes in $53M stock award
- Apple's CarPlay to spark mobile apps war in your car
- Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks
- Apple patches critical 'gotofail' bug with Mavericks update
- Why Apple needs a $700 MacBook Air
- Apple takes top spot in brand value computation
- Apple gets a patent for health-monitoring ear buds
- Apple shifts to hardware-first TV strategy with revamped set-top box
- iTunes is almost as big a biz as OEM Windows
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts