Wednesday, June 24, 2009

Adobe Shockwave Player v11.5.0.600 & Apple vs. Java Insecurity

In its recent attempt to get serious about application security, last week Adobe released Shockwave Player v11.5.0.600 for Mac. Oddly, they released the Windows version a week later. I say oddly because Mac versions of Adobe software are almost always late. It's amusing to see a swap for a change. Now if only Adobe would release the many years delayed 64 bit versions of their applications. Hint hint Adobe.

MacWorld messed up today (6/24) and reported that the Adobe security bulletin about the Windows version of Shockwave Player had anything to do with the Mac version. So I posted a reply comment, which you'll find below. After I posted my comment I visited the Adobe site to find any news about the Mac version. There isn't any. I did however learn that Shockwave Player is compatible with Mac OS X Tiger. That's good to know. I dug around in the installer package and found nothing there as well. If you find anything relevant to Mac security improvements in Shockwave Player v11.5.0.600, please leave a comment.

Here is my comment to MacWorld regarding Adobe Shockwave Player. It is also relevant to Apple's slow poke response to Java security problems:

A couple points:

1) The Adobe Security Bulletin (it's not a blog) is specific to the Windows version ONLY, which apparently was just finished and released. The Mac version of Adobe Shockwave Player v11.5.0.600 was released a week ago on June 16th. Adobe didn't post a security bulletin for the Mac version. And that means what?!

2) bousozoku sez: "Adobe seems to be the only company slower than Apple at taking care of security concerns."

Adobe's attention to security went into deep decline until this past month.

In the meantime, Apple have been improving their attention to security exponentially over the last couple years. It appears to be in response to both the moronic anti-Apple security FUD-fest instigated by Symantec in August 2005, and the White Hat focus on Apple security bugs and vulnerabilities. As is typical with Apple, drag them through the press and they respond.

Where Apple recently fell on their face was with regards to a slew of vulnerabilities in the mess known as Java. Apple were over 6 months behind in Java patches. Sadly, Apple's incredibly slow response to Java updates is consistent. Never has Apple had a serious Java team. Of course one reason is that Apple has to do ALL the work to provide Mac OS X Java updates. Sun provides nothing.

Meanwhile, despite Microsoft's outright hatred of all things Java, to the extent that they were found guilty in court of attempting to destroy Java via their J++ monstrosity, Sun Microsystems write and provide all Windows Java updates. Microsoft never has to lift a finger. That is the single sole reason Windows gets Java updates before Mac OS X. Hey thanks Sun. Sorry you're dead.