ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Snow Leopard ships with vulnerable Flash Player

By | September 2, 2009, 4:42pm PDT

Summary: Apple’s new operating system comes with an outdated version of Flash Player that exposes Mac users to hacker attacks.

Apple’s new operating system comes with an outdated version of Flash Player that exposes Mac users to hacker attacks.

The initial release of Mac OS X 1..6 (Snow Leopard) includes Flash Player 10.0.23.1, which is very much out of date.   The fully patched version of Flash Player for Mac is version 10.0.32.18.

[ SEE: Apple adds malware blocker in Snow Leopard ]

Even worse, Intego reports that the vulnerable version of Flash is included even if the Mac user was fully patched before upgrading the operating system.

The current version of Flash Player for Mac is 10.0.32.18, but if you go to the Flash Player version test page after installing Snow Leopard, you’ll find that you have version 10.0.23.1, even if you were up-to-date before the upgrade. It seems that Apple is shipping an outdated, even dangerous version of Flash Player.

Adobe has also spotted the hiccup and released a security alert to warn of the problem.

The initial release of Mac OS X 10.6 (Snow Leopard) includes an earlier version of Adobe Flash Player than what is available from Adobe.com. We recommend all users update to the latest, most secure version of Flash Player (10.0.32.18) — which supports Snow Leopard and is available for download from http://www.adobe.com/go/getflashplayer.

Snow Leopard also includes a rudimentary file quarantine feature to help block known malware attacks against Mac OS X users.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Apple Macintosh, Macromedia Flash Player, Malware, Apple Mac OS X, Spyware, Adware & Malware, Apple Mac OS, Cyberthreats, Desktops, Operating Systems, Viruses And Worms, Security, Software, Hardware, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

86
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Snow Leopard ships with vulnerable Flash Player
birumut Updated - 29th Apr 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
This is unpossible!!! Stop Lying!! Snow Leopard is Teh Secure!
Qbt 2nd Sep 2009
Of course cue the apologists telling us how this isn't Apple's fault because they didn't write the Flash player...
0 Votes
+ -
Well, they didn't, BUT they did include it ...
mwagner@... 3rd Sep 2009
... instead of letting the user who need Flash download the latest version.
0 Votes
+ -
Who needs flash...
arminw 3rd Sep 2009
when 90%+ of the web works just fine without it and flash is mostly used
for pesky ads which show up as a blank spot of flash isn't there.
0 Votes
+ -
Most people watch YouTube videos
Michael Kelly 3rd Sep 2009
Most web video these days requires Flash. If you don't want that, then by all means uninstall Flash and your life will be easier. But if you want the video you'll need the Flash (or Gnash or some compatible equivalent).

Personally I use AdBlock if ads interfere with the web page, but I'll let it slide as long as the ad does not interfere with the overall experience (because I know those ads keep the web page free).
0 Votes
+ -
You might do better with Flashblock
j.m.galvin 3rd Sep 2009
If the ad isn't flash, it'll be there.

With flashblock you can easily configure it to show flash from named sites
so you don't have to fool around changing things whwn you want flash. If
you get an embedded youtube video on a webpage and you have youtube
cleared it will play.
0 Votes
+ -
Cool!...(nt)
JCitizen 13th Sep 2009
.
0 Votes
+ -
So far the only posts are from windows fanbois
frgough 2nd Sep 2009
telling us what the Apple fanbois are going to say.

The solution here is simple. Update your flash player after
you install Snow Leopard.

Stupid on the part of Apple? Yeah. Apocalypse? No.
0 Votes
+ -
Well, the problem is that..
Dealing Updated - 2nd Sep 2009
for some reason, the update isn't listed in the automatic software update list.

No pun intended. But going to the website and downloading the update directly are Windows/Linux users' kind to thing, you know. We Mac people don't do that. That's why we paid $1000 extra on it in the first place.
0 Votes
+ -
No apology given, none necessary.
Richard Flude 2nd Sep 2009
This is simply not good enough.

If adobe flash isn't in "Software Update" it shouldn't be shipped with SL.
0 Votes
+ -
Only Apple's software is updated via Software Update
Mikael_z 3rd Sep 2009
it's entirely available in Apple Downloads here:
http://www.apple.com/downloads/macosx/internet_utilities/adobeflashplayer.html

That was not so hard now was it? happy
0 Votes
+ -
Is that an automatic update from apple?
notsofast 3rd Sep 2009
What the other poster was saying, I think, is that if it's not part of an automated apple update (akin to Windows Update or the update tool included in Ubuntu, which updates virtually anything, including apps that didn't ship with Ubuntu), it shouldn't be included in the OS install.

It's pretty clear that home users are not proactive when it comes to software updates or security. There's no reason to believe that Apples non-technical users will go out searching for updates.

Adobe took care of the problem, but this was a pretty big mistake, if for no other reason than Flash seems like the most common vector of attack against home users.

Apple needs to step up their game, and I'm sure they will, but it's becoming increasingly clear that they need to focus more on Security.
0 Votes
+ -
What about all the crap in Windows
djzoey 3rd Sep 2009
Never seem to mention the flaws in Windows, but when apple releases,
oh my, the worse thing ever. NOT. Get over it Windows Fan bois. An I use
windows. LOL.
0 Votes
+ -
No ... the point is ...
de-void-21165590650301806002836337787023 3rd Sep 2009
... that for years, the Appleista have been quick to jump on any announcement of a "Windows exploit" which are often actually penetrations through 3rd party software (a lot of it Adobe's) and they have shouted with glee about how insecure Windows is ...

... But now that OSX has started getting popular, those same Apple fans are facing the kind of trials and tribulations that many Windows users have already learned how to protect themselves from.

Alas, the overriding mentality of Mac users is that they're impervious to attack because of the (grossly inaccurate) "OSX has no vulnerabilities" meme. Jobs will have a lot of explaining to do in a couple of years when OSX grows just a few more percentage points and starts becoming the target for mass exploitation.
0 Votes
+ -
So far the only posts are from windows fanbois
kmackdog@... 3rd Sep 2009
Well of coarse only the Windows people will
respond. The tone of the article was that the
world was coming to an end. I don't read many of
his articles but it seems the person writing this
is a Windows Guy!.
0 Votes
+ -
speaking of updates
dlights@... 3rd Sep 2009
Kind of like, WHEN I was a PC....everytime I loaded a window's program, I
am directed to their update page for 20 minutes of downloads to update
the program.....People in glass houses........
0 Votes
+ -
You're right
notsofast 3rd Sep 2009
but if this was a windows 7 issue, you can be sure that all the Mac fan boys would post how this shows how crappy windows/MS is.

It's much like Walt Mossberg's recent review of Leopard. His criticisms were mild and he generally gave them a pass for incompatibilities and he doesn't take them to task for dropping support for machines that may have been purchased as recently as 3 years ago.

OTOH, incompatibilities with Vista or 7 are signs of how inferior Windows is to OS X and the inability to do an in-place upgrade from XP (an 8 year-old OS)is unforgivable....nevermind that he complained that it required XP users to back up their data if they don't have another HD/free partition. Never mind that his assertion was false, he essentially gives his readers the terrible advice that backing up your data before a major upgrade is part of every upgrade.

I don't care if you're running Unix, Linux, Windows or OS X, you're rolling the dice if you don't back up first.

Besides, if you dislike 7 or Snow Leopard, you can just reinstall from your back up and you're back in business.
0 Votes
+ -
Apple products suck at Flash. Everybody knows that.
Dealing Updated - 2nd Sep 2009
I don't know the story behind it but it is like they don't want to support Flash but still reluctantly put it in because a lot of websites use it.

I believe Apple doesn't like depending on other people's standard. They love making their own.

And now it has taken its toll on them.
0 Votes
+ -
Making their own standards....
Wolfie2K3 3rd Sep 2009
Hmmm. So if Apple makes their own standard, it's OK.. But if Microsoft does it, they're evil for not following open standards - even if those "wonderful" open standards are problematic...?

Gotta love double standards...
0 Votes
+ -
Re: Making their own standards....
Jamik 3rd Sep 2009
Cept last time I checked Flash wasn't an open standard, it's proprietary software.
0 Votes
+ -
RE: Making their own standards
gschultz 3rd Sep 2009
Wolfkie2k3, did you read dealing's post correctly? He's ripping Apple for having their own standard, not saying it is OK.
0 Votes
+ -
You are actually correct here
root12 3rd Sep 2009
If you are under the spell of Microsoft, well all
is fine and dandy when Microsoft makes their own
standards. But if you are out of that, they make
it extremely difficult. They have the worlds best
lawyers, lobbyists, unlimited funds to push
whatever suits them. Apples power is a drop in the
ocean compared to Microsoft. It is in your best
interest not to support such corporations.
0 Votes
+ -
What planet are you on?
de-void-21165590650301806002836337787023 3rd Sep 2009
Apple has no power?

This is the same Apple that has a bigger cash warchest than Microsoft.

The same Apple that has successfully sued every other competitor to their hardware platform out of existence ... further strengthening their monopoly and yet none of the regulators raise an eyebrow?

The same Apple that has almost single-handedly taken over the music distribution industry ... commoditizing music to the point that artists make practically no money from album sales and yet nobody thinks this is wrong?

The same Apple that strong-armed the music industry to allow it to sell their music DRM-free online.

This is the same Apple that has convinced the world that it was the inventor and the sole owner to the portable MP3 player and managed to completely eat the market building a monopoly out of nothing in no time at all.

But then, perhaps none of this happened in your world?
0 Votes
+ -
Making their own standards....
kmackdog@... 3rd Sep 2009
Wait are you comparing the vendor with
approximately 80% market share to one with
approximately 10%?

Let me know if you have any more of that spiked
Kool-Aid.
0 Votes
+ -
Two problems with your theory
KWRussell 3rd Sep 2009
1: Not Invented Here? So what has Apple promoted as an alternative to Flash? Quicktime is an obvious solution for video, but for everything else Flash does, Apple doesn't offer their own solution.

2: Apple doesn't "support" Flash, they just ship the latest version of the plug-in on the installer DVD. (At least it's supposed to be the latest version.) The Flash plug-in itself is Adobe's code. Sloppy, crash-prone, CPU-hogging code that Adobe doesn't care to fix for some reason.
0 Votes
+ -
Adobe flash player for mac is a huge resource hog
j.m.galvin 3rd Sep 2009
In almost every case the Mac version requires twice the RAM compared
to the Windows version. It's even worse for Linux - requiring double
that of Mac.

http://www.adobe.com/products/flashplayer/systemreqs/

Another problem is that support for highest quality is confined to more
recent macs. If the guy designing the flash ad or entire site does not
take this into account, and older mac will not play well and possibly
crash.

It gets worse when you hit some web page that has 6 different flash
based ads - all blinking, jumping, talking, etc. Each one of those is
hogging processing power - again twice that required for Windows -
and poor Linux users would require 4 times that. If you use and older
Mac, you learn that Firefox, with the Flashblock add on, is your friend.

The excess use problems of Flash is not just confined to Mac. A relative
of mine is a big boss at one of the huge drug companies. Just 3 weeks
ago he told me that they stripped flash support from all computers
because of all the headaches. It was costing them a lot in fixes and
down time.

0 Votes
+ -
Look no issue
rbert16000 3rd Sep 2009
All anyone has to do is run updates. No bogie. Apple dos lime to set their own
standards. That's Why macs just work. Now go fix a windows PC and charge
them alot.
0 Votes
+ -
I charge a lot more for a mac
davidhite 3rd Sep 2009
So, please keep buying apple products. They are
great, and I can double my labor costs on them.
No different then fixing a windows laptop.
You would be suprised at how many macs I have
repaired given thier market share.
This is still cheaper then sending it back to
apple for non warrenty repair.
All I can say is us IT folk should embrace apple,
it is job security
0 Votes
+ -
Thanks, guys, for pointing this out.
Zukuzu 2nd Sep 2009
-nt-
0 Votes
+ -
RE: Snow Leopard ships with vulnerable Flash Player
mechBgon 2nd Sep 2009
To be fair, they have to finalize their build *sometime* and get busy mastering the discs. It would be smart to make updates available via the operating system's own update mechanism, of course.
0 Votes
+ -
Software update is....
arminw 3rd Sep 2009
is only for Apple software and not every bug infested third-party stuff
out there.
0 Votes
+ -
And I'm saying that should change.
mechBgon 3rd Sep 2009
If they choose to bundle exploit-prone third-party software with their OS, it's reasonable to expect them to support it. IMHO.

I recently installed Win7 Ultimate RTM, and I noticed they don't bundle Flash Player with it, which I view as a good move... if I reinstall from that disc two years from now, I won't be saddled with an out-of-date Flash Player that invites attacks.
0 Votes
+ -
Apple Update and Flash...
PollyProteus 3rd Sep 2009
It's true that Apple Update shouldn't be responsible for shipping the flash player, and it's true that at some point in the development cycle Apple has to say "no more updates for third party plugins".

It's also true that Windows doesn't ship with the Flash plugin, which means that any Windows user who goes to a website that uses Flash will have to install it.

What I do know is that when they do, the Adobe Updater gets installed so any updates are automatically available from Adobe.

What I don't know is if Apple includes an Adobe Updater on Snow Leopard along with the Flash plugin. Does one exist for Snow Leopard? And if so, does it get installed with the plugin or is the user left with only the plugin and no automatic update ability for the plugin?

Can anyone answer these questions? If the answer to the updater is "yes, one exists" and also yes to the "is the updater preinstalled" question then this is a non-issue.
0 Votes
+ -
Problem with that...
mechBgon 3rd Sep 2009
The Flash Player update check defaults to once every 30 days. That's a fairly big window of opportunity when you're talking about an add-on found on most of the world's desktop computers. It's a big target. Hopefully Apple decides to step up to the plate and ship updates themselves. Can't be that tough.

Tangentially, you can alter the frequency of Flash Player's update check at this page:

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager05.html

I set mine to check every 7 days, although being a Zero-Day reader, I'm likely to know about them as soon as they're released.
0 Votes
+ -
actually....
doh123 4th Sep 2009
actually it updates the entire system, Apple software or not.. whatever
Apple wants to update...

the 10.6.1 update Devs are testing right now has a patched version of
flash, and will download and install over the normal Apple Update....
0 Votes
+ -
You mean ADOBE ships insecure Flash Player
mlindl 3rd Sep 2009
You see, Snow Leopard isn't insecure, Apple didn't
write the code, Adobe wrote it BUT ZDNet, not a
truth-in-journalism rag, decided to hit Apple once
again.

Well, read this you folks that enjoy lying to
yourselves:

http://apnews.excite.com/article/20090902/D9AF
D3J03.html
0 Votes
+ -
So you're saying Adobe would not let Apple ship
Michael Kelly 3rd Sep 2009
the most recent version? That's a very weak argument.

If Apple is to include third party software in its package, then it is responsible for it. Just as a car maker would be responsible if their cars shipped with faulty brakes that came from another source.
0 Votes
+ -
Adobe?
compudog 3rd Sep 2009
Does Adobe ship their insecure flash player to the OSX user? Thought that was Apple.
0 Votes
+ -
Yawn: Another scary Apple headline
mlindl 3rd Sep 2009
Wake me up when a Mac computer gets hacked,
not when somebody theorizes it could OK?

Waitm I have a theory:

ZDNet readers believe Windows is God and can
justify all of its fallibilities, real and imagined while
the ROU just keep on using our superior
computing tool, the Mac, with no worries, real or
imagined.
0 Votes
+ -
Theories...
Narg 3rd Sep 2009
mlindl, might as well get used to scary Apple headlines. Why? Simple. Apple is no longer a "safe OS" to use. Plus ZDNet gossip rag has run out of other OS scare tactics to gain readers, so they have to pick on the new kid on the block.

Get over your "God" theories. They are more outdated than Windows scare stories.
0 Votes
+ -
So 90% of the world
davidhite 3rd Sep 2009
is somehow not as enlightened as you?
Please.
Go listen to the strokes on your ipod while you
make crappy music in garage band.
I will be at work
0 Votes
+ -
Ok, I'm waking you up
mechBgon Updated - 3rd Sep 2009
Here you go:

http://blogs.zdnet.com/security/?p=1733

In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine?s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.

Behold the potential of a Flash Player vulnerability. Three families of OSes and multiple browsers were affected by that one. Don't get cocky wink

0 Votes
+ -
Probably not...
JCitizen 4th Sep 2009
he would simply say "stupid users" like every other OSS fanboy; just because it takes user interaction.

The thing is, it's the same for Vista x64, it still takes someone to click the UAC to allow, or logon process permission.

0 Votes
+ -
It didn't require user interaction
mechBgon 4th Sep 2009
In point of fact, the example I gave required no user interaction at all. Furthermore, it was a true zero-day. Here's a thread where victims are comparing notes on the problem:

http://ubuntu-virginia.ubuntuforums.org/showthread.php?t=886905

I love the Linux guy's smug "oh, that's a Windowz problem," only to have it pointed out that the victim's on Ubuntu, and that the exploit is working on OS X as well. There's plenty of humble pie to go around wink
0 Votes
+ -
True dat! Humility is a rare commodity
Ole Man 5th Sep 2009
Which the egotism here does not permit.

Anything (including "software") a human can contrive, another human can subvert and corrupt.

Since online bios flashing became mainstream, there is no such thing as internet security, beyond the ISP (the "gateway" to the internet).

The bouncer controls all egress and ingress. The ONE human characteristic of software.
0 Votes
+ -
Veeerryy intrestink!!!...
JCitizen 5th Sep 2009
as that guy, with the German helmet, on Rowan and Martin's Laugh-In used to say! HA!

Thanks for the link!
0 Votes
+ -
Endangered OS X Snow Leopard = FLOP
shellcodes_coder Updated - 3rd Sep 2009
Am sure you guys do remember Charlie Miller. Here's what he recently said: I'm going to keep saying Snow Leopard is less secure than Windows 7, Miller said. Fix that one thing and I would stop saying it.

source: (Apple?s Snow Leopard Is Less Secure Than Windows, But Safer): http://www.wired.com/gadgetlab/2009/09/security-snow-leopard

Endangered OS Snow leopard was released in a hurry because they were already feeling the heat of Windows 7. And after the release of Windows 7, Apple knew they will be DOOMED so they had to do it. That reminds of Vista...
0 Votes
+ -
Little problem
Lerianis10 3rd Sep 2009
On my system, IE says that 10.0.23.1 is installed in
Internet Explorer. When I brought this up with Adobe,
they said that it was the HELPER TOOL that I should be
looking at, the FlashUtil10c.exe..... it was the actual
10.0.32.18 file that should have been there.
0 Votes
+ -
Huh...
marcin.rybak@... 3rd Sep 2009
Microsoft does it by default, and there is no problem. It's just making a mountain out of a mole-hill.
regards,
Marcin Rybak
http://thinkspire.org/blog/marti/
0 Votes
+ -
As long as it updates automatically
Michael Kelly 3rd Sep 2009
you are correct. Does it? Some people are saying it does not, in which case you are not correct if they are correct. Because Windows, for all its faults, at least makes sure that all the components it ships with, regardless of who programmed it, gets updated via its automatic update system.

I do not know if Flash gets updated automatically on OS X. The answer to that question will tell you whether this is a big deal or not.
0 Votes
+ -
Yeah! Huh?
rtk 3rd Sep 2009
Microsoft does it by default, and there is no problem.

MS doesn't ship Flash, by default or otherwise.

It's just making a mountain out of a mole-hill.

No, that's just your irrational bias talking.
0 Votes
+ -
RE: Snow Leopard ships with vulnerable Flash Player
birumut Updated - 29th Apr 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix