Adobe has announced it will stop issuing Flash security updates for some Mac users next year. It also patched seven vulnerabilities in Flash Player, six of them for critical bugs that hackers could use to hijack Windows, Mac or Linux machines.
In a security advisory published on Tuesday, Adobe briefly spelled out the vulnerabilities, using the phrase "could potentially lead to code execution" in six of the descriptions. Like Apple, and unlike Microsoft, Adobe does not assign bugs a severity or threat rating. Vulnerabilities that can be used to introduce malicious code, however, are considered the most serious - and get the highest rating from vendors such as Microsoft.
Tuesday's update was the first for Flash Player since late July. Although Adobe committed earlier this year to releasing security fixes every three months for its Adobe Reader and Adobe Acrobat software, Flash Player remains on an ad hoc schedule.
Even so, Adobe piggybacked the Flash Player security patches with the six updates that Microsoft released the same day for Windows, Internet Explorer (IE) and Office.
The update to Flash Player 10.0.42.34 fixed data injection and integer overflow vulnerabilities, patched a pair of memory corruption bugs, plugged a hole in JPEG image parsing and resolved "multiple crash vulnerabilities," the company's advisory said.
It also addressed a bug in the Flash Player ActiveX control for IE that could be used to pilfer information, said Adobe, which credited a Microsoft researcher with reporting the problem. Microsoft and Adobe have been collaborating on security issues for months, part of the former's long-term plan to beef up the security of the Windows ecosystem by helping major third-party developers, such as Adobe, find and fix flaws.
The paucity of information included in Adobe's advisory, however, rankled at least one security expert. "Overall their security advisories are on par with Apple's," said Andrew Storms, the director of security operations at nCircle Network Security. "Well actually, I might have to give Apple a few notches up over Adobe," he added, referring to Apple's reputation for terse descriptions of the vulnerabilities it patches in Mac OS X.
Adobe also had some problems getting out the update yesterday, the day it had promised last week it would deliver the Flash Player patches. "The flash player bulletin will be up soon. The team is working through a few final checks," said Brad Arkin, Adobe's director for product security and privacy, on Twitter late on Tuesday. Adobe released the update around 4:30 p.m. PT.
Flash Player 10.0.42.34 for Windows, Mac and Linux can be downloaded from f="http://get.adobe.com/flashplayer/" title="Adobe's Web site" target="_blank">Adobe's Web site.
Alternately, users can use Flash's built-in automatic update mechanism to grab the new versions.
Also on Tuesday, Adobe announced plans to drop Flash Player security support next year for Mac owners whose machines run PowerPC G3 processors.
"Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1 release," said Adobe in the same advisory that spelled out the seven patches. "This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture."
After Flash Player 10.1, which is slated to ship in the first half of next year, Adobe's newest software will run only on Intel-based Macs.
Correction: The original version of this story stated that Adobe was discontinuing support for Flash Player security updates all PowerPC Macs, not just G3 models. We regret the error.