Filed under: OS, Bugs/Recalls, Bad Apple, Security, Found Footage, Snow Leopard
Snow Leopard: Apple ships old, security-compromised Flash plugin with new OS
It's not that we have anything against the Flash plugin for Mac browsers. Well, other than the fact that it's crashy, and slow, and makes our laptop fans spin up like we're doing wind tunnel testing for the Air Force. But other than that, we have nothing against it -- and it's lovely that the new 64-bit version of Safari in Snow Leopard can isolate Flash-related stalls and hiccups from the main browser process for enhanced crash protection. Very nice.
Unfortunately, as pointed out initially by Graham Cluley over at the security and anti-virus vendor Sophos, the version of the Flash plugin that Apple bundles with Snow Leopard is old. It's the 10.0.23.1 version, old enough that it has some notable vulnerabilities versus the currently shipping 10.0.32.18 version. You can check which version of the plugin you have by visiting this Adobe check page. Even if you had the current build on your machine before upgrading to Snow Leopard, the upgrade process replaces your Flash with the vintage Flash instead -- poor form! Cluley recommends, and Adobe concurs, that the best thing to do is head over to Adobe's download site and get the most up-to-date version instead.
It's understandable that Apple had to lock down a version of the Flash plugin for inclusion in the OS golden master, but if you're gonna do that then you've got to provide an integrated method for users to update to the current build when the time comes (like, say, via an OS-wide Software Update utility). Downgrading user security while upgrading OS versions is a rotten way to run a railroad.
[Side note, does Cluley's narration in the video above make you wonder if, just maybe, he's moonlighting as Ben 'Yahtzee' Croshaw over at The Escapist? NSFW!]
Thanks to everyone who sent this in.
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 2)
Fernando said 4:30PM on 9-03-2009
Umm yeah that version of Flash wasn't out when 10.6 went RTM, not worthy of the news sorry. Also flash on Mac OS sucks major ball sacks. My 2.6 C2D sits at 60% util when watching flash videos. My G4 on flash 10 was useless with flash sites I had to install 9 on it to make the web with flash useful. Flash is crapware as far as I am concerned go to their forums and it's littered with performance complaints with screenshots and all. Get with the program already Adobe.
Reply
DJM said 4:44PM on 9-03-2009
I do agree!
Michael Rose said 5:15PM on 9-03-2009
Understood that the newer build wasn't available when they went GM, but the upgrade should leave it alone -- it's a third-party component.
Two wrongs said 4:30PM on 9-03-2009
It's no surprise Apple has an older version included, I mean, they had to "lock down" the contents of the DVD probably a month or more ago, but they ought to have the sense to leave things alone if a newer version exists, that's just common sense. One of Apple's installer engineers made a boo-boo!
Reply
LAGal said 6:04PM on 9-03-2009
contrary to belief, they are human. not a band of fool proof robots following wifi'd instructions from Steve Jobs brain.
and it is interesting that the persons pointing out this boo-boo and the vulnerabilities (which have not yet been widely exploited to date) come from a security software vendor. isn't that a bit like Intego (an anti-virus vendor) pointing out the flaws in Snow Leopard's first attempt at built in malware scanning.
Rich said 1:33PM on 9-04-2009
LAGal: *why* on earth does the Apple Installer not have dependency checks yet? Every other OS's updating system has this as a core feature. If they just used something sensible like apt or rpm, they could have avoided this fiasco. But no, Apple Knows Best. And then sets about proving that statement wholly wrong.
This is a basic security feature. "Upgrading" to an arbitrary version is dangerous!
Brian said 4:31PM on 9-03-2009
Perhaps you expected Apple to silo all your Safari plug-ins and analyze each one to determine who has the most up to date version, then put them all back once everything was updated to Snow Leopard, but I still wouldn't expect Apple to provide me with a patch for Flash. I'd expect Adobe to do it. Eventually, I do think it would be great if Apple would enable third parties to hook into the Software Update tool, and ask the user's permission to do so. Then when it runs, it'll check all the stuff I've told it to. In the meantime, I use AppFresh.
And while we're on the topic, when is Adobe going to bother optimizing Flash for the Mac? I don't like my machine using more processing power than necessary and causing the fan to spin up and the battery to drain faster than normal. Hey Adobe, what gives? I hear a lot of people say they use Click2Flash so that they aren't burdened by Flash when they don't want it.
Reply
Rich said 1:37PM on 9-04-2009
"Perhaps you expected Apple to silo all your Safari plug-ins and analyze each one to determine who has the most up to date version, then put them all back once everything was updated to Snow Leopard"
Yes. Newsflash: This is the way every other Unix-like OS on the planet behaves.
Without the "silo" and "put them all back" parts. That's just insane. Do it in place. It's not like it's imaging the hard disk -- it's just upgrading packages.
NateF said 4:36PM on 9-03-2009
Sheesh, I wasn't even running the most current version. Does Adobe have an auto-update application for Mac (or for any operating system, for that matter)?
While Apple should have shipped the most current version of Flash with Snow Leopard, I don't think it's their job to provide Flash updates through Software Update.
Reply
Rich said 1:38PM on 9-04-2009
Why not? They install it with the OS. That assumes responsibility.
Look said 4:49PM on 9-03-2009
Wow, how scary! Really, we are running 10.0.23.1!!!
Now please show me one person that got infected..I've been using a Mac for 20 years and never known one☺
Reply
Jordan said 4:58PM on 9-03-2009
Dear god, you obviously don't know many Mac users then. I'm around a lot of them, and have definitely seen them get infected numerous times. Now I'm not saying Macs are just as bad as PCs, all I'm saying is you need to drop the stereotype that Macs are invulnerable because it's just not true. I have actually seen people have worse problems and lose more data than PC users at times. Hell, even Apple is now shipping Snow Leopard with malware protection. Drop the stereotype already.
Look said 5:09PM on 9-03-2009
Sure you do PC FanBoy☺ Hope you enjoying VISTA-7..
*So here are a few of your lovely comments on Apple:
“F you Apple, stop making computers and stick to gadgets.” (Jordan)
“I hope so, because iPhone OS 3.0 sucks beyond belief” (Jordan)
“All Apple users think they need to flaunt around the stats of their computer. I find it extremely annoying” (Jordan)
“OLED screens are showing up in everything, Everything except the iPhone/iPod” (Jordan)
SpinThis! said 5:10PM on 9-03-2009
As with any security threat, you have to see what's actually affected. Calling out Apple on a minor issue is just stupid.
What's actually "vulnerable" here involves malicious PDFs so if you use Preview (which is default) to view PDFs, you're not affected. You're also not affected if you have an up-to-date version of Acrobat Reader. You have to go out of your way for this threat to actually be useful.
And the latest version of Snow Leopard alerts you to the 2 threats that are out the wild. So if you're worried about this kinda crap, go upgrade.
Apple didn't exactly put a grenade in the OS waiting to go off. As said best over at MacRumors, you have to open the ammunition toolbox, grab a grenade, and pull the pin to be vulnerable to this.
Jordan said 7:10PM on 9-03-2009
Congratulations, you can research. I have said those comments, and I stand by them. However, none of those comments have anything to do with what I stated.
Again, drop the stereotype because it's wrong.
Oh by the way, you can use a Mac and hate it, you don't have to love it to death and feel that everything Apple does is correct and worship them daily. People use PCs and hate them yet they won't switch, why? They have their reasons, just like I have mine for using a Mac. Software. Have you ever tried running Final Cut on Windows, it's kinda hard...
Look said 7:18PM on 9-03-2009
You are the one who is the worshiper..If you are so "bias", how come 95% of your Apple comments are hateful?
Viruses on a mac don't exist(at least not yet)! The companies that are making billions of the PC market are just trying to create a new market. And i can't blame them since Apple's unix OS is a big threat on their existence.
Jordan said 7:52PM on 9-03-2009
Coming from someone who has worked in a help desk supporting both Mac and PC environments, viruses DO exist for the Mac. I have seen them first hand. Even Apple has recommended people install anti-virus software on their mac:
http://news.cnet.com/8301-1009_3-10110852-83.html
Look at the date on that article, less than a year old.
I'm not worshipping and I'm not hating in any of the comments I have said to you. All I am saying is quit kidding yourself and falling into stereotypes. I'm not comparing Macs to PCs in terms of numbers of security vulnerabilites, all I'm saying is that Macs ARE vulnerable and DO have problems. Viruses DO exist for them, maybe not in shear numbers, and they've yet to travel and spread like they do for PCs. Why? Number of users, but if that rises, will you - and most other Mac users - be protected and ready? I'm betting no.
Dave said 4:51PM on 9-03-2009
I just assumed that Flash was updated after the Snow Leopard build went GM. No big deal, just visit Adobe's web site and update:
http://www.adobe.com/software/flash/about/
Reply
STL said 7:36PM on 9-03-2009
I set the times when I get flashed cause I use "Click to Flash"
http://rentzsch.github.com/clicktoflash/
Reply
Drunken Economist said 7:05PM on 9-03-2009
Dear TUAW:
Flash is not an Apple product.
Flash is not an Apple product.
Flash is not an Apple product.
How many times do we have to repeat this?
Also, the Adobe / Apple relationship is on the rocks, or didn't you know?
No Flash on the iPhone.
Nack and his little 'No support for CS3 & Snow Leopard.'
The message really is that Adobe doesn't care as much for Apple, and the feeling is likewise.
Figure it out!
Love and Kisses,
-Drunken Economist.
http://mindtaker.blogspot.com/
Reply