Snow Leopard install downgrades Flash

Apple has built a potentially dangerous downgrade into Mac OS X Snow Leopard, according to a security expert.

When Apple's updated operating system is installed, it downgrades Adobe Systems' Flash to an earlier, less secure version. Sophos security expert Graham Cluley said Wednesday in a company blog post that Apple installs version 10.0.23.1, which has not been upgraded to protect users against the latest threats.

"Mac users who have been diligent enough to keep their security up-to-date do not deserve to be silently downgraded," Cluley said in the blog. "We know that hackers keep finding security holes in Adobe's code--and that's deeply concerning because it is so widely used by many internet users, whether on Mac or PC."

Cluley said users need to upgrade Flash Player for Mac immediately to the most current version, 10.0.32.18. Failing to do so could open up users to vulnerabilities that have targeted Flash over the past several months.

"This should be done as a matter of priority," Cluley said. "Adobe is the 'new Microsoft' when it comes to security vulnerabilities, with hackers targeting their software looking for vulnerabilities to exploit."

Adobe has been in the spotlight since last month's release of Snow Leopard, as it works with users on compatability questions regarding its Creative Suite products.

(Via AppleInsider)

[ballmerisanape]

Thanks for the info.

[BingItOn]

Yeah I will neverr buy CRAPple anyway. jobsisamonkey.

[ballmerisanape]

because of an adobe problem? Good thinking. Next time you get a flat tire, you should call up your cars manufacturer and complain.

[BingItOn]

No because of this

http://news.cnet.com/8301-1009_3-10154662-83.html
The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years

http://news.cnet.com/8301-13579_3-10187192-37.html
The average selling price of a Mac desktop in the U.S. over the last six months was $1,503, while the average selling price of a Mac notebook was $1,493. Windows customers paid an average of $545 for their desktops over the last six months, while they paid $637 for their notebooks.

http://news.cnet.com/8301-1009_3-10199652-83.html?tag=mncol;posts
Safari hole exploited in seconds at security conference

http://i.gizmodo.com/256768/mac-os-x-less-secure-than-vista

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072959

http://www.zdnet.com.au/news/security/soa/Mac-OS-X-hacked-under-30-minutes/0,130061744,139241748,00.htm

http://blogs.zdnet.com/security/?p=2941

http://www.wired.com/gadgetlab/2009/09/security-snow-leopard

jobsisamonkey

[TheAppleGuy]

@Bing
Anyone claims OS to be 100% malware free, is lying. I also read this. tp://www.wired.com/gadgetlab/2009/09/security-snow-leopard

I have a MAC and very happy about it, but I will definately going to get Windows 7 on Oct 22, using it since RC and it is overall a great experience.

[bananaphonerules]

ballmerisanape sometimes guilty of being "trollish", but i think the comment certainly didn't warrant BingItOn's attack.
Computers are computers. ...and invariably most modern OS are so close to each other it doesn't matter.

The only issues left are trolls and openess / awareness of security.

[ballmerisanape]

I prefer "spirited".. or even "passionate"... :)

[BingItOn]

Nice thinking @bananaphonerules I agree with you but my CRAPPle friend doesn't think the same way so it's my turn now ;)

jobsisamonkey

[ckh1272]

"by BingItOn September 3, 2009 10:46 PM PDT
Nice thinking @bananaphonerules I agree with you but my CRAPPle friend doesn't think the same way so it's my turn now ;) "

@BingItOn--You couldn't be any more biased if your username was "ILoveMicrosoft". You serve absolutely no purpose on these threads and most people here really don't care what you have to say and you are not going to change anyone's mind when you have such a bias. I know it won't matter to you because you'll just keep on trolling but consider this post a public service announcement.

[najaboy]

@ballmerisanape
The thing is that this is an issue created by Apple. The portion of your analogy that you left out is that hypothetical car manufacturer is the one who put a nail in the tire as the new owner drove it off the lot, which resulted in it going flat.

[BingItOn]

@ckh1272 I agree with you. But unfortunately none of your 627post sugegst similiar thing to CRAPple bashers. Now how much importance I give to your suggestion.

Also if ballmerisanape then jobsisamonkey so they come from same family :).

Just read if you wish and enjoy nothing personal here :)

[dennisheadley]

Well, truth be told every single 3rd party program on the computer should be checked for upgrades after any OS update on WIndows, OSX or Linux. I'm a Vista 64 user myself and I know I always check up on my programs after service packs, fresh installs etc.

I would have thought that the Snow Leopard upgrade would just remove Flash from the computer as part of the 7 GB of disk recovery and make you install Flash yourself the first time it was called for by a website same as all the other OS's do.

[solitare_pax]

Odds are, the Flash program will prompt you to install the upgrade next time you use it in Snow Leopard.

So just do it...

[bonesbautista]

Ditto, and excellent advice. I heeded that mantra - check for updates - right after I completed the SL and XP SP3 updates. No problems, no worries.

[shellcodes_coder]

This is a new feature in Snow Leopard as usual to make hackers happy. Apple never mentioned this feature, nevertheless they like to give surprises.

Am sure you guys do remember Charlie Miller. Here's what he recently said: I'm going to keep saying Snow Leopard is less secure than Windows 7, Miller said. Fix that one thing and I would stop saying it.

source: (Apple's Snow Leopard Is Less Secure Than Windows, But Safer): http://www.wired.com/gadgetlab/2009/09/security-snow-leopard

Endangered OS Snow leopard was released in a hurry because they were already feeling the heat of Windows 7. And after the release of Windows 7, Apple knew they will be DOOMED so they had to do it. That reminds of Vista...

[Rolker]

I just wonder what the outcry would have been if this was a Windows issue.
Of course it is not a big deal (I think), and probably flash will update itself after you install the OS.
But I'm sure that some people would have trash Windows and Microsoft.

[Vegaman_Dan]

There would be 60+ people here all claiming how this is an example of how much of a failure the company is, why it's all a part of a scam, and it's intentional.

The double standard is very much in play.

[JayAwesome]

OMG did anyone call the police yet??!!!!!

[Super2online]

I doubt it, but I'll give you the number just in case: 911

[Mangolite2]

"I prayed that they would show up, but nobody answered." ?Walt Kowalski

[Vegaman_Dan]

I'm sorry, you want 9-1.....2.

[jcmark42]

Oh great, now I have to double check all my Macs.

[WinNoMo]

Installed Snow Leopard yesterday. Was prompted to update flash today. No big deal.

[Seaspray0]

Flash prompting you to update was not mentioned in the article and that is relavent. Perhaps Jim should update the article to reflect that.

[shycelticwitch]

@ Seaspray, I agree with you 100%. This article appears to be nothing more than a blatant attempt to start a flame war. Anyone who doesn't perform 3rd party updates after upgrading an OS shouldn't be using a computer to begin with.

[Seaspray0]

@shycelticwitch. I don't see it as a blatant attempt to start a flame war. If this had been an article on windows downgrading a flash install, I would want to know about it. The article does have merrit since it does provide information that people can consider valuable. I do agree on performing updates after an install. I do not agree on flash being included as part of that install since it isn't part of the operating system and since the maker of that install is not providing updates for it. If apple decides to provide flash updates as well as OS updates, then I will have no issue with it.

[gsmiller88]

If you have any version of Flash Player installed, you're vulnerable.

[Thomas, David]

News Flash ... An installation that includes a pre-packaged 3rd party application is prone to having that 3rd party's installation overwrite a new version. Fortunately, this particular 3rd party automatically checks for updates, and informs the user.

The security "expert" would also concede that any update requests from the same application they have been "diligently" keeping up-to-date, will simply update the application.

So .... let me think .... the security "expert"s' own logic shoots his entire "alarm" to pieces ... tiny little ones, I'd like to add (if not totally obliterated) ...

Bottom-line ... comprehending the security "expert"s own logic yields a simple "***?"

[joetesta70]

Are you high? New installs never overwrite old ones unless Apple F-ed up. It's not Adobe's fault that's for sure

[Vegaman_Dan]

Here's a question for you-

Why was Flash included in the first place? It has nothing to do with OS X and isn't needed for an upgrade.

[Thomas, David]

Ok, especially you joetesta70

What on Gods green earth made you think that Adobe didn't provide the software installation package? Anyone know of a different, non-best practice to follow like that?

VD, shame on you, I KNOW you know that the controlling installer simply invokes the 3rd party installer.

Think First

[Seaspray0]

I agree, Dan. It should not have been included since it isn't part of the OS. What will make the matter worse is time. As time goes by, even more revisions will be released. Two years down the road, the flash revision hard coded into the upgrade will be even more out of date. But can't we say that concerning any OS installation as well? I still have a restore disk to one of the computers around here that's XP SP1. Do you know how outdated that is on revision? If the computer could read DVD's, I would have slipstreamed SP3 into it, making it a XP SP3 restore disk.

[Vegaman_Dan]

@David Thomas:

"Think First:

Okay let me think about that. Flash gets installed when you install OS X Snow Leopard. Flash is not needed for OS X to run. It is only there because Apple authorized its inclusion. It is there intentionally.

Thank you, that clears up absolutely nothing. Perhaps you didn't read my comment. To help you, I'll restate it:

Why was Flash included in teh first place?

Read. First. Before. Responding.

[ckh1272]

@Seaspray0 and Vegaman_Dan--So based on your statements, I guess Java shouldn't be included in the installation either, since it's from a 3rd party as well. Cherry picking or double standard?? Heck, there was a time when Apple included Internet Explorer on its systems. So when does the 3rd party rule not apply? This issue is much ado about nothing. Run the update and be done with it.

[qwerty-berty]

@ckh1272

Mac OS X java is a first party Apple component.

[ckh1272]

"by qwerty-berty September 4, 2009 2:02 AM PDT
@ckh1272

Mac OS X java is a first party Apple component."

That's true to an extent, but it is still a component provided by Sun. Besides, there are plenty of other examples of 3rd party installs like that, past and present. This article is still much ado about nothing, if you ask me. This nothing but a bait article for more hits and we all fell for it, hook, line, and sinker.

[qwerty-berty]

@ckh1272

BTW Sun have nothing to do with the Java implementation on the mac other than to collect the license fee from Apple. But I agree with you that there are a lot of non stories round here designed to start flame wars :/

[Seaspray0]

@chk1272. "I guess Java shouldn't be included in the installation either, since it's from a 3rd party as well." No, it should not be included unless the maker of that disk provides updates for it. Case in point, ubuntu provides firefox with the install, but when you get updates from ubuntu, they updated firefox. That is acceptable. Until apple provides updates for flash, I don't see it as acceptable.

[ebpda9]

ohh noes, my mac is gonna get h4xx0r3d. </sarcasm>

[bananaphonerules]

It already has...you just are in denial that OSX is perfect.

[Ice Moose]

If you are bundling 3rd party plug-ins and/or apps, that's the risk you are running.
Apple could add a post or pre-install step to check for latest versions of the bundled 3rd party components; they apparently didn't.

Is it a big deal in a personal use scenario? - No, unless the first Flash-enabled site you happen to visit is a malware spreading one (intentionally set up to be that way, or just freshly hacked).

For a large scale deployments that may be a bigger deal.

No vendor is perfect. Pick imperfections according to your preferences.

[Vegaman_Dan]

Since Apple is the one distributing it, it's their responsibility to address. I'm not sure why people are trying to make excuses for this on Apple's behalf.

[BingItOn]

What else you expect from CRAPPle fans?

[ckh1272]

"by BingItOn September 4, 2009 1:19 AM PDT
What else you expect from CRAPPle fans?"

@BingItOn--I guess we expect the same answer that we get from people like you. Complete and utter ignorance.

[BingItOn]

@ckh1272, people like me ??? okay I will just ignore your comment as it looks like personal attck :)

[ckh1272]

"by BingItOn September 4, 2009 1:07 PM PDT
@ckh1272, people like me ??? okay I will just ignore your comment as it looks like personal attck :)"


@BingItOn--How is my statement any different than your "CRAPPle fans" statement? Also, it's no more a personal attack than "jobsisamonkey". Think about it for once.

[webdev511]

Damned if you do and damned if you don't, but this is a situation where NOT including a third party security hole is the right thing to do. First party security holes are fine though.

[eason_chan]

oh no! my mac didn't ask me to upgrade adobe flash, how do i do it by myself?

[Dalkorian]

Option 1: Be patient, it may take some time (weeks?) for Flash to get around to checking for newer versions.

Option 2: Follow the link in the article to the blog post, which has links to Adobe's Flash website, where you can download the latest version (and check the current version).

As usual, the haters have run with this story but really it's a non-event. The reason they have run with it is they have so little to run with that they latch onto anything they can get and make the biggest deal they can of it. They do this to make themselves feel better about the lousy computer decisions they have made themselves.

[filipiak]

Flash 10.0.32.18 was released on July 30 - 29 days before Snow Leopard went on sale. I'm not sure what the lead time is in getting masters to their disc duplication service, but it seems reasonable to believe Apple would have tested the then-current version of Flash at some point in the Spring, and then moved on to other things.

After all, we were ALL in the same boat on July 29th.

[sciontcya]

How is this news?
A company works over a year on an OS upgrade.
They have to burn a GM DVD at some point.
How in the HELL will everything be up-to-date when it ships?
Answer: It won't.
Not from Apple, Red Hat, or Microsoft.
Move on.

[DrtyDogg]

Microsoft nor red-hat bundles flash with their OS.

[Vegaman_Dan]

It does make you wonder what sort of sweet heart deal was made to get it included. Apple surely isn't including it on every install for free or out of their generous nature.

[BingItOn]

CRAPPle should ship Silverlight.

[ckh1272]

"by DrtyDogg September 3, 2009 3:29 PM PDT
Microsoft nor red-hat bundles flash with their OS."

Microsoft does bundle Java (3rd party), which has security issues as well, so what is your point??

[shycelticwitch]

@ VD... (sorry, the acronym fits so well I just gotta use it) You know Apple got no sweet deal, we pay for the inclusion with overinflated pricing for lousy software and inferior equipment. You remind us of that consistently so why would you even ask such a silly question when you already know the answer?

That fact millions of Mac users don't agree with you isn't even an issue here, but that is what seems to drive your participation in these posts, so carry on.

As for Apple's generous nature, perhaps you should look into that before you end up with not just egg, but rotten egg on your face...

[swattz101]

As many stated, this is a non-issue. This is not a Microsoft "fanboi" trying to put Apple down, just a "journalist" summarizing an article. In fact, I didn't see anything at all from the journalist except Cluley said, Cluley said, Cluley said..... They might as well have just posted the link and been done with it.

As for Cluley's blog post, it is his job security issues. Bravo to him for finding this and alerting people, even if it would be updated automatically the first time someone tried to use flash. Its just one more thing to make sure you know. And I would say this weather it was for OSX, Windows, *nix, OS2, whatever. I don't fault Apple, and as someone stated earlier, they can't have every single 3rd party software updated at the time they go gold.

[rapier1]

Well obviously you can't have everything current in the distribution disc *but* there is no reason why it can't contact a server at apple that has updates on it. The install process just pings the server and says "is there anything new since the date I was written to disc". The server says "Yup, here are the updates, enjoy!". Pretty straightforward and well known process.

[Seaspray0]

@rapier1. That would work if apple updates also provided flash updates. When are they going to start doing that?

[MaggieRed]

Yep and you have to update your Flip-4-Mac too.