Last week, I wrote about an update to Safari that disables older versions of Flash. I asked whether this was helpful – given that Flash is a notorious vector for malware – or presumptuous, and many commenters thought it was a smart move on Apple’s part.
Certainly, Apple’s action to protect users of its own browser makes sense. But what if the Safari update affected other software?
It turns out that the Flash-disabling feature in Safari 5.1.7 also shuts off the player in Firefox, according to an Apple spokesperson. If you don’t take up the new Safari on its offer to send you to the Adobe Flash website and download the latest version, you won’t have be able to see Flash content in either Safari or Firefox.
Users of Google’s Chrome browser on OS X aren’t affected, because Google maintains a current version of Flash within the browser. It doesn’t rely on the Adobe plug-in.
It also turns out that Apple isn’t disabling Flash unless it’s a very old version. The Safari update removed Flash if it is older than version 10.1.102.64. As my buddy Ed Bott points out, that version was released way back in November 2010:
That was more than 18 months ago. Since that time, Adobe has delivered 17 Flash Player updates that affected the Windows, Macintosh, and Linux platforms. (Back in March I assembled an up-to-date list, which you can check for yourself.)
The most recent Flash Player update was released on May 4. If you have not yet installed version 11.2.202.235, on whatever your platform of choice is, your Adobe Flash Player is out of date.
If you last updated Flash in early 2011, you could be 16 versions behind. And yet, despite the seemingly definitive, no-qualifiers-included statement in that Apple security bulletin, Safari 5.1.7 will not disable your out-of-date version of Flash Player.
As a result, installing the latest version of Safari could still leave you with an out-of-date version of Flash that remains chock-full of security flaws and thus vulnerable to exploits. And, as the ongoing Flashback Trojan infection indicates, the evildoers are clearly taking aim at the Macintosh platform. Apple’s decision to disable only much-older copies of Flash means a large number of machines have security holes that can be compromised.
And using Firefox instead of Safari won’t protect you in this case.
If you’re a Mac user who downloaded the latest version of Safari and it didn’t disable Flash, don’t assume you’re protected, even if Firefox is your primary browser. Go get the latest version of the Adobe Flash Player for OS X and install it now.
By the way, this will soon be a moot point. Adobe is working on a version of the Flash player for Mac that auto-updates in the background, as does the current Windows version. It’s currently in beta, if you want to give it a try.
Related: Apple has released a version of its Flashback Trojan removal tool for Leopard users.