Adobe Flash contributes largest number of security patches in Apple's Mac OS X 10.6.5Apple has detailed the security issues patched by Mac OS X 10.6.5 and the corresponding Security Update 2010-007 for Mac OS X 10.5, indicating that more than half of the security vulnerabilities in Mac OS X actually affect the Adobe Flash plugin and X11.
Of the 131 security vulnerabilities identified and patched by the latest Mac OS X update (cataloged by their public Common Vulnerabilities and Exposures or CVE ID), 16 are related to X11, an optional install which enables Mac OS X to run apps designed for the Unix X Window specification. Another five are related to features in Mac OS X Server that are missing in the desktop version.
Nine more affect Apple's own QuickTime, one is related to the Mac OS X kernel, one affected Safari, and another 45 were found in various other code, including some that is proprietary to Apple (such as its AFP file server, CoreGraphics and CoreText) and some that is incorporated by Apple from open source projects into its operating system (including the Apache web server, CUPS printing, OpenLDAP, Python, and PHP).
However, the most security vulnerabilities by far are associated with the Adobe Flash plugin, with a whopping 55 issues listed, the "most serious of which may lead to arbitrary code execution," Apple reports in its Apple Product Security update.
This leaves little reason for wondering why Apple has worked to shed all third party platform code from its mobile iOS, including Java and Flash (and of course, X11).
Security, battery issues unfortunate for Adobe
The security issues related to Flash are in fact the stated reason why Apple is backing away from bundling the plugin with its new computers. Apple began shipping the MacBook Air without Flash installed, noting that customers could install the plugin on their own to ensure they had the latest, most secure version.
However, testing indicates that in normal operation, Flash can also consume dramatic amounts of battery life just to animate web ads in the background, resulting in as much as two hours of lost productivity on a single charge.
After that fact was publicized, Adobe's CTO Kevin Lynch lashed out at Apple, saying in an interview, "I just think there's this negative campaigning going on, and, for whatever reason, Apple is really choosing to incite it, and condone it."
Lynch characterized Apple's exclusive support for HTML5 for displaying dynamic web content on iOS devices as "unfortunate" and "a blockade of certain types of expression," but also noted, "we support [standard based web development using] HTML. We're making tools for HTML5. It's a great opportunity for us."