Vulnerabilities / Threats
9/3/2009
12:44 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple's Snow Leopard Downgrades Flash Security

Users of Apple's Snow Leopard Mac OS X operating system upgrade are being advised to install, or reinstall, the latest version of Adobe's Flash player.

Apple's Mac OS X 10.6 "Snow Leopard" operating system upgrade comes with several security improvements, but also includes a security downgrade: It installs an outdated version of Adobe's Flash player software with known vulnerabilities that are being actively exploited.

In a blog post, Graham Cluley, senior technology consultant for Sophos, explains that Snow Leopard installs Flash player version 10.0.23.1, which Adobe updated on July 30 version to 10.0.32.18 to address 12 different vulnerabilities.

The fix is straightforward. As Adobe's David Lenoe advises in a blog post, "We recommend all users update to the latest, most secure version of Flash Player (10.0.32.18)," which is available for download from the Adobe Web site.

But the oversight, which may reflect nothing more than Apple's need to freeze its code well before discs are pressed and seeded to distribution channels, has provided more ammunition to security companies that have been critical of Apple's claims about Snow Leopard's security improvements.

Such companies, of course, face the possibility of being made redundant when operating system makers like Apple or Microsoft begin building security features into their software. As a consequence, any addition along these lines typically prompts third-party security vendors to shine a spotlight on missteps, mistakes, or glaring failures.

For Apple, alleged security shortcomings appear worse than they might really be because the company's culture of secrecy, which stands in contrast to recent push for better information sharing in the security industry, comes across as lack of concern.

Apple, for example, neglected to inform users that the Snow Leopard upgrade would disable any screensaver password lock that had been in place. This prompted Sophos researcher Chester Wisniewski to complain, "Another change to my security settings without notification or permission? Some changes are necessary and difficult to migrate, but PLEASE tell me about things that affect my safety when using my computer."

That may seem a peevish point to make, but strictly speaking, changes to security settings without notice or permission represent behavior more often seen in malware.

In a security memo released on Wednesday, Intego, a maker of Mac security software, offers a more substantive analysis of the shortcomings of Apple's new security features in Mac OS X 10.6.

"Not only does [Snow Leopard] only scan files from a handful of applications, and only for two Trojan horses, but it didn't even spot all the current variants that we tested," the memo states. "It cannot repair files or scan your Mac to find existing infections. It doesn't detect malware contained in metapackages, making it very simple to distribute malware that will bypass Apple's protection. It cannot scan network volumes, and it won't even see infected files copied from removable media. In short, Apple's anti-malware function in Snow Leopard is notable for the lack of serious protection it provides to Mac users."

There's an element of self-promotion driving observations of this sort, to be sure, but that doesn't necessarily make the points less valid. The challenge for Apple in the coming months will be translating the security touted in its advertising into security practices that actually mitigate risk.


InformationWeek Analytics has published an independent analysis on strategic security. Download the report here (registration required).

For Further Reading:

Complete Apple Snow Leopard Coverage

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2010-5110
Published: 2014-08-29
DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file.

CVE-2012-1503
Published: 2014-08-29
Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section.

CVE-2013-5467
Published: 2014-08-29
Monitoring Agent for UNIX Logs 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP09, and 6.2.3 through FP04 and Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 through FP03, 6.2.1 through FP04, 6.2.2 through FP08, 6.2.3 through FP01, and 6.3.0 through FP01 in IBM Tivoli Monitoring (ITM)...

CVE-2014-0600
Published: 2014-08-29
FileUploadServlet in the Administration service in Novell GroupWise 2014 before SP1 allows remote attackers to read or write to arbitrary files via the poLibMaintenanceFileSave parameter, aka ZDI-CAN-2287.

CVE-2014-0888
Published: 2014-08-29
IBM Worklight Foundation 5.x and 6.x before 6.2.0.0, as used in Worklight and Mobile Foundation, allows remote authenticated users to bypass the application-authenticity feature via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.