Vulnerabilities / Threats
9/3/2009
12:44 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%
Repost This

Apple's Snow Leopard Downgrades Flash Security

Users of Apple's Snow Leopard Mac OS X operating system upgrade are being advised to install, or reinstall, the latest version of Adobe's Flash player.

Apple's Mac OS X 10.6 "Snow Leopard" operating system upgrade comes with several security improvements, but also includes a security downgrade: It installs an outdated version of Adobe's Flash player software with known vulnerabilities that are being actively exploited.

In a blog post, Graham Cluley, senior technology consultant for Sophos, explains that Snow Leopard installs Flash player version 10.0.23.1, which Adobe updated on July 30 version to 10.0.32.18 to address 12 different vulnerabilities.

The fix is straightforward. As Adobe's David Lenoe advises in a blog post, "We recommend all users update to the latest, most secure version of Flash Player (10.0.32.18)," which is available for download from the Adobe Web site.

But the oversight, which may reflect nothing more than Apple's need to freeze its code well before discs are pressed and seeded to distribution channels, has provided more ammunition to security companies that have been critical of Apple's claims about Snow Leopard's security improvements.

Such companies, of course, face the possibility of being made redundant when operating system makers like Apple or Microsoft begin building security features into their software. As a consequence, any addition along these lines typically prompts third-party security vendors to shine a spotlight on missteps, mistakes, or glaring failures.

For Apple, alleged security shortcomings appear worse than they might really be because the company's culture of secrecy, which stands in contrast to recent push for better information sharing in the security industry, comes across as lack of concern.

Apple, for example, neglected to inform users that the Snow Leopard upgrade would disable any screensaver password lock that had been in place. This prompted Sophos researcher Chester Wisniewski to complain, "Another change to my security settings without notification or permission? Some changes are necessary and difficult to migrate, but PLEASE tell me about things that affect my safety when using my computer."

That may seem a peevish point to make, but strictly speaking, changes to security settings without notice or permission represent behavior more often seen in malware.

In a security memo released on Wednesday, Intego, a maker of Mac security software, offers a more substantive analysis of the shortcomings of Apple's new security features in Mac OS X 10.6.

"Not only does [Snow Leopard] only scan files from a handful of applications, and only for two Trojan horses, but it didn't even spot all the current variants that we tested," the memo states. "It cannot repair files or scan your Mac to find existing infections. It doesn't detect malware contained in metapackages, making it very simple to distribute malware that will bypass Apple's protection. It cannot scan network volumes, and it won't even see infected files copied from removable media. In short, Apple's anti-malware function in Snow Leopard is notable for the lack of serious protection it provides to Mac users."

There's an element of self-promotion driving observations of this sort, to be sure, but that doesn't necessarily make the points less valid. The challenge for Apple in the coming months will be translating the security touted in its advertising into security practices that actually mitigate risk.


InformationWeek Analytics has published an independent analysis on strategic security. Download the report here (registration required).

For Further Reading:

Complete Apple Snow Leopard Coverage

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web