Adobe Patches Another Critical Flash Security Flaw

| Product News

Adobe released a new security update for its Flash Player on Wednesday, only a week after rolling out its last security fix. This latest update, Flash Player 10.3.181.26, addressed a flaw that could allow attackers to control victim’s computers, and is apparently already being exploited by hackers.

Flash Player security update. Again.Adobe patches another Flash security flaw

According to Adobe:

This memory corruption vulnerability (CVE-2011-2110) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.

The flaw is present in Flash Player for the Mac, Windows, Linux, Solaris and Android. It does not, however, impact the Authplay.dll component in Acrobat X and Adobe Reader.

Adobe is recommending all users upgrade to Flash Player 10.3.181.26, and that Android users upgrade to Flash Player 10.3.185.24.

The updates are free and available for download at the Adobe Web site.

Sign Up for the Newsletter

Join the TMO Express Daily Newsletter to get the latest Mac headlines in your e-mail every weekday.

39 Comments Leave Your Own

Jmp

And people wonder why apple doesn’t like flash. You can polish a terd, but it’s still a terd! Long live html5.

Nemo

Will TMO allow us to start a betting pool, for bragging rights, only as to win Adobe will issue its next security patch.  I betting that it will be within the next six weeks from today.

John Martellaro

I won’t have to worry about this update.  Flash no longer installed on my iMac.

Lee Dronick

Perhaps it is time for them to let someone else create a Flash player.

Dirt Road

Two words: Flash blocker.

RonMacGuy

I can’t wait for my daughters to outgrow Webkinz!!  Then I can delete Flash forever!!

furbies

<troll>

Hey Bosco

No retort yet about the wonders of Flash ?

</troll>

Lee Dronick

I can?t wait for my daughters to outgrow Webkinz!!? Then I can delete Flash forever!!

I can’t wait for my wife to outgrow that jigsaw puzzle she plays, then I can delete Flash smile

Bosco (Brad Hutchings)

Haters gonna hate. John, there are more original windmills to mount. Maybe we should have a bet… I’ll bet you reinstall Flash before I give another penny to Apple (unless Steve Jobs leaves the company).

Anyway, since my fans here want to know about the wonders of Flash… This week, I’m working on a proposal for closed captioned longish (60 - 90 minute) web videos for disabled customer access. It’s a tougher problem than just throwing the videos up on YouTube and getting hilarious machine translated karaoke.

There is customizable out-of-the-box almost ready to deploy captioning software in both Flash and HTML5/JavaScript, so that’s not a big cost. With Flash, we could get a more consistent user experience across the range of browsers, browser versions, and devices, but that apparently doesn’t count for much with the trendsetters like you guys these days. The big real cost imposed by Apple’s ban on Flash for iPad and citizens like John doing the righteous thing by banning Flash from their desktops turns out to be storage. We’ll go the HTML5/JavaScript route and need to store 4 or 5 versions of the video. Call that 2 or 3 GB when 500 MB would do with an all-Flash solution. We’re serving the video, so if you know the typical limitations of leased server contracts, you’d know that 500 GB is a common disk size on a physical dedicated box that leases for several hundred $ per month. So we might get 150 - 200 of these videos per box instead of 1000+. Imagine how the cost scales as one creates whole libraries of these videos for everyone including the disabled to access.

We’re all getting older, and cheaper access to high quality captioned video becomes more valuable with each day. So when you guys go out on your anti-Flash jihad, to paraphrase Kanye in the aftermath of Katrina, you hate disabled people.

ilikeimac

I learned yesterday, via this discussion, that Flash in Chrome does not reside in Chrome’s sandboxes, but instead is global to all tabs and talks directly to the OS, and this is because of the technical limitations (“characteristics” if you want a less loaded word) of the Flash plugin provided by Adobe, not because Google wouldn’t like to sandbox it.

Anyway, just makes me all the more scared of Flash security holes, since they intrinsically bypass even the vaunted Chrome browser’s security.

Update: In fairness, it sounds like “standard” browser plugins have historically always been able to talk directly to the OS and therefore Chome’s plugin architecture doesn’t attempt to sandbox any of them. So Java and other plugins are just as much a liability when they have security holes.

RonMacGuy

I so love great irony. Bosco is using a disabled application to support disabled customer access.

Bosco (Brad Hutchings)

I agree Ron. The highly fragmented HTML5 video “standard” is quite disabled compared to the simplicity and consistency of using a Flash container for interactive video.

RonMacGuy

Whoops, I guess I should have read more than Brad’s first two paragraphs!!  My mistake!!

BTW Brad, your conclusion is cute.  I hardly think people are on an anti-flash jihad.  All Adobe has to do is fix flash and Apple will allow it on their devices.  That simple.  All we do when these “Adobe Patches Another Critical Flash Security Flaw” headlines come out is simply point out that Adobe has a lot of work to do to meet the standards that Apple imposes.  I, as you, and especially my daughters, look forward to the day when they are capable of doing so.  You should be more angry at Adobe than you are at us or Apple…

Bosco (Brad Hutchings)

All Adobe has to do is fix flash and Apple will allow it on their devices.? That simple.?

You misunderstand the term in the developer agreement about software not running scripts downloaded from the Internet. The Flash ban is about protecting the App Store revenue stream. Period.

RonMacGuy

The Flash ban is about protecting the App Store revenue stream. Period.

You forgot to put “In my opinion” after your comment.  That’s OK, I am putting it in for you.

In my opinion, it’s two “Critical Flash Security Flaw” patches within a week of each other, along with poor performance and reduced battery life, causing the ban.

Lee Dronick

In my opinion, it?s two ?Critical Flash Security Flaw? patches within a week of each other, along with poor performance and reduced battery life, causing the ban.

To be fair Apple is updating the Safe Download definition several times a week. However, that is much less a security threat than Flash. What is Adobe doing, duct taping a leaky Flash player over and over? Maybe it is time to throw it out and rewrite it from scratch.

Bosco (Brad Hutchings)

What is Adobe doing, duct taping a leaky Flash player over and over? Maybe it is time to throw it out and rewrite it from scratch.

They’re doing the same thing Apple does to Safari, Google does to Chrome, Apple does to iTunes, and Apple does to the core Mac OS. They get a report of an exploit or even discover a hypothetical one, they investigate, fix, and test. Any software with as many source lines of code as any of the project mentioned above is going to have exploits—real and hypothetical—in the code. Coupled with a wide audience, security becomes a process, not a status. If you don’t understand that about software like this, you’re just yourinating up a rope.

John Martellaro

Bosco: the process you just described above is correct.  Adobe sees it as their job to fix the security problems.  Issue a fix, and sit back.  Job well done.

However, one also has to consider customer perceptions.  OS X is essential, but is Adobe Flash?  Is the payoff worth the continuous updates? Do we respect Adobe’s approach and customer support? DO we *believe* in the product and the company?

In this circle, appearance is everything. Adobe fails. In my opinion.

Bosco (Brad Hutchings)

@John: At least you admit it’s a battle of FUD. Honesty points for that.

So, back to my little project. Today, I modified some Flash code for a proof of concept. Even though we won’t deploy with it, I’ll have it on the table as an option that can be provided. Guess what? It works on all the browsers I tested it on, including my Nexus One phone. That was very quick work this morning.

Then I have spent the rest of the day trying to figure out why a JavaScript solution works on everything but the iPad. This solution uses the very, very popular Mootools to alter a little bit of the page’s HTML5 to give us a place to show subtitles. You can try it here if you like with a desktop browser. Note that I’m working on it, so it might be in a state where it doesn’t subtitle when you try it. And a week from now, it might not be there.

I wonder what I should think of the iPad’s browser from my day spent trying to make this work. Is it just totally borked? Safari on the Mac indicates no HTML or Javascript or CSS issues with the page at any point in the loading/playing/done cycle.

And still, the fact that I can’t deploy Flash there for this purpose tells me that Apple and those of you who so passionately support their decision pretty much hate disabled people. I’d rather have this done and deployed and actually helping people rather than racking up billed hours. There are more interesting and cutting edge things on my plate to get paid for grin.

Bosco (Brad Hutchings)

@RonMacGuy: Why won’t Apple allow third party browsers that download scripts or incorporate plugins that download scripts from the Internet?

Why would Apple reject an app made by Adobe, Google, or Firefox which incorporated Flash and was an optional install for users?

I’m trying to understand just how over-protective Apple is of users’ security, as you claim my opinion that Apple is just protecting the App Store revenue stream is incorrect. Enlighten me.

RonMacGuy

I never claimed your opinion was wrong, just that it was your opinion.  You act like you know Apple’s full intentions when you don’t.  You may be right to some extent, and I/we may be right to some extent.  This is not as black and white as you imply.

“Why would Apple reject an app made by Adobe, Google, or Firefox which incorporated Flash and was an optional install for users?”

Umm, because it sucks.  That’s an easy one.  Because allowing it to run on an iPhone will lessen the iPhone experience, be it bugginess or speed or potential for malware or battery issues or whatever.

My brother-in-law just bought android phones.  Not sure what model - don’t really care.  He bought for himself, his wife, and my wife’s parents (family plan).  After a week, I asked what he thought of it.  He said it was great, except for battery life.  Wife’s father was more upset - he couldn’t believe that a brand new phone couldn’t keep a charge for the entire day, even with very little use.  What was draining it so quickly?  Flash?  Wifi?  Bluetooth?  No clue, and again, don’t really care.  But it made me chuckle.  Yet another poor experience with an android phone.

Point is, your opinion is fine, given your hatred and suspicion of Apple.  But it is just an opinion.  And you know what they say about opinions…

Bosco (Brad Hutchings)

Ron, here is the funny thing. I don’t really care about Apple’s intentions. I just look at the practical effects. Just like I don’t care about Flash haters’ intentions. I just know that one of the practical effects is quite consistent with them hating disabled people, and I think that’s unfortunate. Now that the consistency is brought to your attention, I am waiting to see if it moderates or even adds some nuance to your strongly held views.

While we’re telling stories of people who bought things… I needed to actually debug on an iPad yesterday—you know, because its HTML and JavaScript doesn’t work like even desktop Safari—so I called a buddy whose recent college grad daughter has one. She was really helpful and I found the crux of the issue quickly. Took all day to work around it, but anyway. She asked me why I didn’t have an iPad and I told her I just object to being in that locked up of an ecosystem. She admitted to having jailbroken her iPad once with an untethered web site (!!!!) jailbreak. Used it for awhile, but some things didn’t work, and she took it to the Apple Store and had them restore it. That really made my day.

But what’s so important about an untethered website jailbreak? It shoots a giant hole through the notion that Apple writes code that’s any more secure than anyone elses. The same jailbreak exploit could be used by a website you get tricked to visit to steal all of your information. These jailbreak exploits have sat unpatched in iOS for months at a time. Meanwhile, people like John who should know better get freaked out at the rapidity of Flash security patches.

furbies

I just know that one of the practical effects is quite consistent with them hating disabled people

Bosco

I’m disabled. and I don’t believe Apple or anyone commenting here hates me because of it.

(I suffer from both a musculoskeletal disorder & Eye/vision problems)

Bosco (Brad Hutchings)

I?m disabled. and I don?t believe Apple or anyone commenting here hates me because of it.

Right. They don’t hate you. They just act in a way that significantly increases costs for those who are going out of their way to help you, which has the same results as just hating you. The added costs and complexity makes helping you a tougher sell to those who have to pay for it.

Flash is a consistent, cross platform container for delivering rich audio and visual information. That richness can be used to easily augment the A/V to provide additional tools and accessibility to those with disabilities. And since it is a mature, cross-platform technology, these features can usually be implemented once and be expected to work. HTML5/JavaScript is just the opposite. Implement it and expect to have to tweak it for each browser, and then try to figure out what the hell you’re gonna do about IE users on XP, who will never see IE 9.

I’d ask Ron again… Don’t you think that people with disabilities ought to be “allowed” by the all knowing Apple to choose a web browser for the iOS devices they purchased from Apple that will let them take advantage of technologies and media presentations that are more accessible to them? Or must developers who are trying to help these users pay an Apple tax on development to implement an app where an app is not needed?

RonMacGuy

Cry me a river, Bosco. I am sure there are hundreds of developers developing apps for the disabled on iOS that have no problem working within the confines of Apple’s restrictions. Maybe you’re just not good enough to do so. But don’t blame the restrictions that keep our walled garden safe.

I could easily argue that by keeping flash off iOS Apple is helping the abled and disabled alike by providing a safe environment free of flaws “that could allow attackers to control victim?s computers” (as stated above). I think tens of millions of both the abled and disabled who use iOS appreciate Apple more for this than they miss anything that you may be doing to help a relatively few number of people.

According to Adobe: “This memory corruption vulnerability (CVE-2011-2110) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious Web pages.” This sounds pretty nasty, and maybe computer geniuses like you can easily avoid or deal with this once it happens, but the average person cannot, and should not have to.

So no, Bad News Bosco, I don’t think people with disabilities ought to be allowed to choose a something that Apple deems unnecessary and dangerous on their devices. They can choose to still use Apple products, or to go use android. There are plenty of iOS-friendly disability-supported activities that help them within the current confines. Apple alone has many features within iOS that help - see Apple Disability Link.

RonMacGuy

Frankly Bosco, your entire argument is pretty ludicrous. Apple hating disabled people by having restrictions on their devices is kind of like saying that the US Government, by having traffic signals, hates sick and injured people since it slows ambulances down trying to get to the hospital.

RonMacGuy

Hi Bosco, I know you are ignoring me, but I thought of a better analogy related to this article. Apple is like a fire department wanting to hire some new firemen. The fire department has restrictions on the type of firemen that can work there. Flash is like the lazy, overweight guy trying to be a fireman (we’ll call him Waldorf). The fire department doesn’t want Waldorf to work there because he is old, bloated, lazy, likes to “crash” on the couch, and “eats” a lot of “food” (i.e. memory and battery life).

Not that Waldorf isn’t good at some things and may even do those things better in some cases (like laying on the couch and eating), but that doesn’t make him a good fire fighter. Plus, Waldorf leaves the fire house unlocked a lot, letting thieves in to steal hoses and stuff. Not good. They have to keep “patching” him for these “flaws” of being lazy, eating a lot, and letting thieves in to steal stuff at the fire house. They keep patching and patching, sometimes once a week. Other than that, Waldorf is a good enough guy that most people don’t mind having around, but just not as a fire fighter. They don’t mind watching a game with him or playing Webkinz with him or having a few beers with him, but they just don’t trust him to put out a fire if one appears, and for good reason.

The fire department wants a different kind of fireman, and those that live in the area served by said fire department are in complete agreement. Sorry Waldorf, go play somewhere else. Now, the firemen are doing this for the good of the community, abled and disabled alike. Even if Waldorf likes to help the disabled, does the fire department hate the disabled by not letting Waldorf be a fireman? I don’t think so.

I hope this analogy helps you to better understand. Thanks, and have a great day!!

Bosco (Brad Hutchings)

Great analogy, Ron! So why does Apple keep Waldorf from a full time team member like he is at all the other firehouses, but allow him to haul hoses up the stairs on the condition that he goes into the building without all his equipment?

I think the real problem is that Waldorf makes the affirmative action hires in the station look weak and takes too much of the glory from the chief.

RonMacGuy

Very good Bosco!! Being a friend of Waldorf’s I can see why you would be defensive about your fat lazy friend. Answer is, this firehouse is big and powerful and the chief is a bit of an elitist. And, every time Waldorf leaves the door unlocked at the other firehouses, our fire chief enjoys saying, “I told you so.” Why is there a website dropping 30,000 ugly people from their site since they are not as attractive as they should be? Life’s not fair, the powerful set the rules, and absolute power corrupts absolutely.

You may think that Waldorf hauls hoses up the stairs, but a lot of us just think that all Waldorf does is sit around at the local bar drinking all day and handing out the keys to all the firehouses in the area.

Bosco (Brad Hutchings)

So why is Waldorf allowed to put out fires for your firehouse with one hand tied behind his back? (Think AIR apps in the app store that aren’t allowed to download dynamic content.)

And why does the firehouse prefer to have women who are structurally weaker and slower than Waldorf carry fire victims down several flights of stairs? OK, why do some residents in the neighborhood, when there is a fire, call Waldorf on the phone to have him direct the people to put out the fire since he isn’t allowed on site? (Skyfire)

Why do the neighboring fire departments run advertisements in the neighborhood with cheers of “We’ve got Waldorf, yes we do, we can put out all the fires, while your clowns only handle half?” (Sammie and RIM are all over that.)

RonMacGuy

OK, now you’re just getting silly. You forget the entire starting point of this article - Waldorf sucks. He doesn’t put fires out - he starts them. He doesn’t carry people down stairs - he falls down the stairs. Don’t get me started on the fragmentation of the neighboring fire departments - What are they today? Firehouse stations 1.5, 1.6, 2.0, 2.1, 2.2, 2.3, 2.3.3, 3.0, and 3.1? Waldorf doesn’t quite play well with all of those, does he? Realistically, all Waldorf really does is play games and videos, which other firefighters can do as well, and are younger, leaner, stronger, more stable, don’t let the bad guys in, and just in general better represent firefighting. Face it. Who cares about skyfire, sammie, and rim? Really? Every once in a while I bump into Waldorf, but I can’t talk to him unless I am on my iMac. And that’s just fine with me (and a lot of us).

RonMacGuy

I found this on tinkerdroid.com - is it true? Waldorf can only support Firehouse station 2.2? What about all the other stations that supposedly cheer “we’ve got Waldorf, yes we do.” Do they really?

Android 2.2 currently supports Flash 10.1 on higher-end handsets and tablets (Click here for adobe’s official list of supported devices). This also applies for Adobe Air. Unfortunately devices with an Android OS lower that 2.2 (e.g Eclair 2.1, donut 1.6) cannot run Flash Player 10.1. The Flash Player is distributed through the android market as a browser plug-in, not a standalone app. The app is currently on 10.1.95.2 and is periodically updated to fix bugs and patch security issues. The updates can also be downloaded via the android market.

Bosco (Brad Hutchings)

Or roughly 3/4 of Android devices in use as of June 1. Some of your neighbors in iPad land would just like the option. Apple does not have to make a browser that supports Flash. They just have to approve such a browser or allow users to side load software.

I really don’t understand why you are so adamant about this. Your neighbor in iPad land letting Waldo put out a fire adds no risk to the use of your iPad. All it really does is provide some competition to the stranglehold the Apple fire station has on putting out fires. Seriously Ron, there is a small grease fire on the stove in your kitchen, and you are prohibited from operating a chemical fire extinguisher—and FFS don’t pour water on it (for real)! You have to wait for Steve Jobs to show up with his engine company and put out the fire that has spread to your room. That’s totally retarded.

RonMacGuy

I really don’t understand why you think I am so adamant about this. You’re the one using wording like “anti-Flash jihad” and how Apple hates disabled people. You obviously have a lot more in the game than I do, with your career. For me, it is borderline “not worth my time” thinking about it - perhaps if I missed it more I would side with you.

Here’s my first post: “I hardly think people are on an anti-flash jihad. All Adobe has to do is fix flash and Apple will allow it on their devices. That simple. All we do when these ?Adobe Patches Another Critical Flash Security Flaw? headlines come out is simply point out that Adobe has a lot of work to do to meet the standards that Apple imposes. I, as you, and especially my daughters, look forward to the day when they are capable of doing so. You should be more angry at Adobe than you are at us or Apple?”

I can hardly blame Apple for what they are doing. If I needed flash more on my iPad or my iPhone, maybe I would blame Apple more. But I don’t, so I won’t. I am sorry that Apple’s ban is causing you agony, but as an end user I just don’t see the value of flash, nor do I miss it.

I mostly disagree with you thinking that Apple is not allowing flash for their own gain. I probably don’t know enough to be dangerous on this, but it seems that if adobe fixed flash so it would run well on iOS they would allow it like they allow tons of other stuff. But, I am not really qualified to argue from a knowledge expert perspective (as you often point out). And that’s OK. You may be more right than I let on, but it wouldn’t be fun if I just conceded, right? But, I will agree with you that if allowing flash added no risk to the use of my iPad, then Apple should do it. But at this stage, you really can’t make the argument that adding flash adds no risk, given the original reason for this string of arguments (Adobe Patches Another Critical Flash Security Flaw), can you?

Bosco (Brad Hutchings)

Given that there have been and are untethered jailbreaks that involve visiting a website in Safari on the iPad, I would say that there is substantial risk just turning on the browser. You know what an untethered jailbreak does, right? It crashes the browser in a way that makes “root” available on the iPad. The same code that is doing people a favor to free them free them from the Apple dictators can be deployed to steal your personal information from a malicious website. Perhaps you’d like to go back over the past couple of years and compare Flash’s timeliness in fixing its issues quickly after they are discovered to Apple’s timeliness in patching its endless stream of Safari issues that enable the untethered jailbreaks.

When everybody’s crap stinks on this issue due to the nature of complex software rather than incompetence or negligence, it’s just plain ignorant to call out a competitor as “crappy” or “buggy”. But hey, to be a card carrying Apple fan, this is what you must believe, because Xenu told you so. Carry on…

RonMacGuy

Wow, it must be so tiring to hate so much. Whatever, Bosco. I guess I am happy with how my iPad works as it is. I see no reason to jailbreak anything. Tell you what, it would be easier for people to free themselves from the Apple dictators by buying an android tablet, but so far that’s just not happening. 99% of iPad users are just happy with their device. I’m one of them. I don’t care about the “endless stream” over the years. I need a mobile OS and I need a browser. I don’t need flash. I decided to go iOS route with iPad and iPhone and I am happy. Others can go another route - whatever. Software is complex - I agree. If android is so much better with flash capability, why is one of every four smartphones sold today an iPhone? Why isn’t Apple at the 5-10% level you predicted? Why is iPad still the #1 tablet? Why?

furbies

From an email I got from TeamViewer today.

Hello,

Thanks to numerous requests by our users you will now find TeamViewer Free on the Android Market, too. It is intended for private use on both Android smartphones and tablets (running on Android 1.6 and later).

Enjoy the full flexibility of TeamViewer Free: Access remote computers, open and edit files or even perform a remote reboot. The app can connect to any computer with a common operating system and the best thing: It is totally free for private use!

Due to the rules of the Android Market we cannot make the commercial version available for use there. If you would like to use TeamViewer in a professional environment you may purchase the commercial version on our website.

Your Stefan Luksch
TeamViewer

So it seems that the Android Market isn’t such a bastion of freedom & liberty after all!

Lee Dronick

Due to the rules of the Android Market we cannot make the commercial version available for use there. If you would like to use TeamViewer in a professional environment you may purchase the commercial version on our website.

I have seen similar terms of service for a number of apps, graphics, and fonts too. Commercial users are on their honor to pay for a commercial license.

Bosco (Brad Hutchings)

So it seems that the Android Market isn?t such a bastion of freedom & liberty after all!

The Android Marketplace (an app store run by Google) has rules. Nobody said it didn’t. One rule concerns payment, which uses Google Checkout. If they prefer PayPal or directly charging a credit card, that would be consistent with their statement.

Do note that in the Android world (unlike the iOS world), they can simply offer the app for download and side-loading onto devices directly from their website. That is the ultimate freedom in play, which they use.

Log-in to comment