Vulnerabilities / Threats
9/3/2009
12:44 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Apple's Snow Leopard Downgrades Flash Security

Users of Apple's Snow Leopard Mac OS X operating system upgrade are being advised to install, or reinstall, the latest version of Adobe's Flash player.

Apple's Mac OS X 10.6 "Snow Leopard" operating system upgrade comes with several security improvements, but also includes a security downgrade: It installs an outdated version of Adobe's Flash player software with known vulnerabilities that are being actively exploited.

In a blog post, Graham Cluley, senior technology consultant for Sophos, explains that Snow Leopard installs Flash player version 10.0.23.1, which Adobe updated on July 30 version to 10.0.32.18 to address 12 different vulnerabilities.

The fix is straightforward. As Adobe's David Lenoe advises in a blog post, "We recommend all users update to the latest, most secure version of Flash Player (10.0.32.18)," which is available for download from the Adobe Web site.

But the oversight, which may reflect nothing more than Apple's need to freeze its code well before discs are pressed and seeded to distribution channels, has provided more ammunition to security companies that have been critical of Apple's claims about Snow Leopard's security improvements.

Such companies, of course, face the possibility of being made redundant when operating system makers like Apple or Microsoft begin building security features into their software. As a consequence, any addition along these lines typically prompts third-party security vendors to shine a spotlight on missteps, mistakes, or glaring failures.

For Apple, alleged security shortcomings appear worse than they might really be because the company's culture of secrecy, which stands in contrast to recent push for better information sharing in the security industry, comes across as lack of concern.

Apple, for example, neglected to inform users that the Snow Leopard upgrade would disable any screensaver password lock that had been in place. This prompted Sophos researcher Chester Wisniewski to complain, "Another change to my security settings without notification or permission? Some changes are necessary and difficult to migrate, but PLEASE tell me about things that affect my safety when using my computer."

That may seem a peevish point to make, but strictly speaking, changes to security settings without notice or permission represent behavior more often seen in malware.

In a security memo released on Wednesday, Intego, a maker of Mac security software, offers a more substantive analysis of the shortcomings of Apple's new security features in Mac OS X 10.6.

"Not only does [Snow Leopard] only scan files from a handful of applications, and only for two Trojan horses, but it didn't even spot all the current variants that we tested," the memo states. "It cannot repair files or scan your Mac to find existing infections. It doesn't detect malware contained in metapackages, making it very simple to distribute malware that will bypass Apple's protection. It cannot scan network volumes, and it won't even see infected files copied from removable media. In short, Apple's anti-malware function in Snow Leopard is notable for the lack of serious protection it provides to Mac users."

There's an element of self-promotion driving observations of this sort, to be sure, but that doesn't necessarily make the points less valid. The challenge for Apple in the coming months will be translating the security touted in its advertising into security practices that actually mitigate risk.


InformationWeek Analytics has published an independent analysis on strategic security. Download the report here (registration required).

For Further Reading:

Complete Apple Snow Leopard Coverage

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web