Just last week, we reported on the latest security update to Adobe’s Flash. Installed on nearly every personal computer in the world, Flash is used for a wide range of animation and rich content delivery: you may see Flash ads, with simple graphics, you may come across games that use Flash for on-line play, and when you watch a YouTube video, you’re using Flash to view it.
Infoworld discusses Flash’s “security woes”, with an in-depth article about recent vulnerabilities and how Adobe handles security. They list a number of issues, then go on to ask, “Is Adobe immature when it comes to security?”
Obviously, the answer to that question depends on who you ask. Adobe doesn’t think they’re immature; “Adobe is vigilant in doing everything that we can to prevent any new vulnerabilities from being introduced and also [in] reacting swiftly to any vulnerabilities that are identified after we ship a product,” said Brad Arkin, Adobe’s director of product security and privacy. But we see, time and again, that Adobe drags their feet in releasing patches for Flash.
Part of this is because they have moved to a scheduled quarterly patch release, copying Microsoft with their “patch Tuesday”. Releasing patches once every three months is far from sufficient to deal with the number of vulnerabilities that are found in Flash, as well as in other popular Adobe software, such as Shockwave and Adobe Reader.
To further confuse the issue, Apple shipped Snow Leopard with an insecure version of Flash. Because of the time it takes to get such third-party software integrated into the operating system, the version of Flash provided with Snow Leopard did not have the latest security fixes.
The biggest problem for Flash on Mac OS X, however, is that there is no way to update the software automatically, and Flash itself doesn’t check for updates. As we said recently:
Unfortunately, most users rarely update Flash, since it’s not an application and doesn’t do automatic checks for updates. Given the risks of infected Flash content, and the ability for that content to run on any web page with no user interaction, Adobe should add some kind of auto-update check to the Flash plug-in. As it stands, the only way users know they need to update the software is when they read an article such as this, or if, in rare cases, they visit a page that requires a specific version of Flash and they find that their plug-in is out of date.
Adobe says there is an auto-update function in Flash Player, and explains how administrators can configure it. However, we have never seen an update notification on any of our Macs, and this for years. We have asked friends and colleagues, and they, too, have never seen such notifications. If you access the Flash Player Global Notifications settings panel, you’ll likely to be under the impression that the software is set to check for updates; this setting is checked by default. Yet it doesn’t seem to work for Macs.
Adobe says, on this page, “Automatic notification is available on all Microsoft Windows platforms for the following browsers: Microsoft Internet Explorer, AOL, Mozilla, Netscape, or Opera.” This suggests that the auto-update feature does not work for Mac OS X. It seems, however, that 80% of computer users are using out-of-date Flash Player plug-ins. So even on Windows, this auto-update feature either doesn’t work, or doesn’t work very well. The Mozilla Foundation recently announced that Firefox 3.6 will contain a built-in system to check for outdated plug-ins, such as Flash Player.
Why Adobe doesn’t have an auto-update feature for Flash for everyone is surprising. For Mac users, the only time most of them update Flash is when Apple provides a Flash update in one of its Mac OS X system or security updates.
Until Adobe introduces some sort of working auto-update system to Flash, Mac users will be at risk for vulnerabilities. Whether Adobe patches Flash Player or not changes nothing, because it’s likely that most Mac users never update their version of Flash unless it’s provided as part of an operating system update.