Apple on Tuesday patched 28 vulnerabilities in is Snow Leopard operating system, including two in Adobe’s Flash Player.
But in another example of the tension between the two companies—sparked by Apple CEO Steve Jobs’ rejection of Flash as slow, buggy and obsolete—Adobe immediately countered by noting that Apple’s Flash fixes were already outdated.
“10.6.4 update for Mac OS X includes Flash Player, but not the latest version,” said Brad Arkin, Adobe’s director of security and privacy, in a message on Twitter Tuesday shortly after Apple issued the security and performance update.
Others at Adobe chimed in Tuesday that Apple shipped the outdated Flash Player 10.0.45.2 with Mac OS X 10.6.4, and like Arkin, urged Mac users to download a newer edition directly from Adobe’s site.
Adobe patched a pair of bugs in Flash Player 10.0.45.2 for Mac and Windows in February 2010.
The newest edition of the popular media player is 10.1.53.64, a 32-patch update Adobe shipped June 10, in part to fix a zero-day flaw that hackers have been exploiting since earlier this month.
It’s not unusual for Apple to lag behind Adobe in releasing Flash Player patches to its users. Apple, unlike Microsoft, handles the distribution of Flash Player updates for its users, bundling them into its OS updates.
This was only the second time that Adobe has called out Apple over including an outdated version of Flash Player with Mac OS X, according to reviews of Adobe’s security blog.
The first time was last September, when Adobe noted that Apple had shipped an older, vulnerable edition of Flash Player with Mac OS X 10.6, aka Snow Leopard, when that OS debuted in August 2009. Security researchers took Apple to task for bundling an old version of Adobe’s software with Snow Leopard, and for “downgrading” newer editions to the outdated software.
Apple refreshed Snow Leopard two weeks later to include a then-up-to-date copy of Flash.
This time, Mac users who manually updated Flash Player to version 10.1.53.64 since last week need not take any further action, Arkin said in a follow-up message on Twitter. “[Mac OS X] 10.6.4 doesn’t appear to downgrade users that had previously updated to Flash Player 10.1.53.64, so users don’t have to reapply the update,” Arkin said yesterday.
Users can check to see which Flash Player edition they’re currently running by visiting the About Flash Player site. Users must run the check in each browser installed on their Macs. If they find they’re running an older edition, the newest 10.1.53.64 can be installed by manually retrieving the update from Adobe’s Web site.
Seven of the 28 flaws, or 25 percent of the total, fixed by Apple in Mac OS X 10.6.4 were tagged with the phrase “arbitrary code execution,” Apple’s way of saying that the bugs were critical and could be used to infect a Mac with malware, including spam bots and identity-stealing keyloggers.
Among the non-Flash Player vulnerabilities addressed by Mac OS X 10.6.4 were three in its implementation of CUPS (Common Unix Printing System), three in the Kerberos authentication protocol, one in Apple’s iChat instant messaging client, and one in Apple’s Wiki Server software.
Mac OS X 10.6.4 also updated Safari to version 5; Apple launched the new browser June 7, patching a record 48 vulnerabilities at that time.
Apple said it addressed 16 non-security issues in Mac OS X 10.6.4 as well, including a reliability improvement for VPN (virtual private network) connections and a resolution of an unresponsive keyboard problem.
Apple last updated Snow Leopard in May, when it closed a record 92 security holes, a third of them critical.
Users running Mac OS X 10.5, aka Leopard, also received a security update Tuesday.
Mac OS X 10.6.4 can be downloaded from the Apple site or installed using the operating system’s integrated update service.