Adobe patches critical Flash bugs, ships sandboxed plug-in for Firefox

#1 Macworld

Story Poster

Group: MW Bot
Posts: 31,662
Joined: 30-November 07

Posted 08 June 2012 - 03:21 PM

Post your comments for Adobe patches critical Flash bugs, ships sandboxed plug-in for Firefox here

#2 mojo66

Member

Group: Members
Posts: 77
Joined: 11-May 10

Posted 08 June 2012 - 05:15 PM

The Flash Plugin requires root privileges at install time, for whatever reasons. "Silent update" means, a 3rd party process known for dozens of security flaws, is running with root privileges silently doing something users can only hope is useful. No thanks. I've de-installed this piece of crapware.

#3 bastion

Power User

Group: Members
Posts: 9,094
Joined: 14-October 04

Posted 08 June 2012 - 05:46 PM

Really sloppy article.

Quote

The company also released the “silent update” tool for OS X, and said it had prepped Flash for the upcoming OS X 10.8, aka Mountain Lion, by signing its code, a requirement if users are to install software downloaded from sources other than Apple’s own Mac App Store.

No, this is not a requirement. They're talking about GateKeeper but have oversimplified it to the point of error. In 10.9 I shouldn't be surprised to see code signing required, but then Apple's been warning us as developers since Leopard that this was probably coming.
...
Ah, I see. Waaaaay down at the bottom of the article comes a clarification that makes the claim somewhat less wrong. Like this:

Quote

Because Flash is not distributed through Apple’s desktop app market, if users set Gatekeeper to the most restrictive option—“Mac App Store”—they won’t be able to install or update Flash Player.

Unless, of course, they use the "secret" incantation that allows that protection to be bypassed on a per-instance basis. (Secret: Run the app the first time using the Open command in Finder's context menu instead of double-clicking it.)
Posted Image

Quote

Because many Windows applications don’t call DLLs using a full path name, instead using only the filename, hackers can trick an application into loading a malicious file with the same title as a required DLL.

"Many" in this case means "virtually all."

This post has been edited by bastion: 08 June 2012 - 05:48 PM

#4 afriedma

Member

Group: Members
Posts: 68
Joined: 03-September 04

Posted 08 June 2012 - 08:40 PM

When you install the new update, Adobe asks you to select from 3 update options: automatic in background, notify me of updates before installing, or do not notify me of updates. So, if the first option makes you nervous (as it does for me), then pick the 2nd or 3rd options. FYI, Adobe lists the automatic option as 'Recommended'.

#5 MorrisTheCat

Member

Group: Members
Posts: 727
Joined: 14-December 07

Posted 11 June 2012 - 11:39 AM

The Flash Player Preference Pane also gives you the 3 controls mentioned in how updates should be handled. There are some blogs out there on what gets installed and how it all works. Basically a new executable called "fpsaud" get installed into /Library/Application Support/Adobe/Flash Player Install Manager/ and a LaunchDaemon gets installed into the root /Library/LaunchDaemons folder that activates the above executable every day to check for updates. Presumably, disabling or completely removing the LaunchDaemon would remove the auto update function from kicking in without being called on manually in a script or something.
We're debating here where I work on whether we want to deploy this update "as is" to our Macs or modify it so we can control the update process. For some reason, allowing Adobe to update its software unchecked on our systems gives me the willies.