Apple's Snow Leopard Downgrades Flash Security

Apple's Mac OS X 10.6 "Snow Leopard" operating system upgrade comes with several security improvements, but also includes a security downgrade: It installs an outdated version of Adobe's Flash player software with known vulnerabilities that are being actively exploited.

In a blog post, Graham Cluley, senior technology consultant for Sophos, explains that Snow Leopard installs Flash player version 10.0.23.1, which Adobe updated on July 30 version to 10.0.32.18 to address 12 different vulnerabilities.

The fix is straightforward. As Adobe's David Lenoe advises in a blog post, "We recommend all users update to the latest, most secure version of Flash Player (10.0.32.18)," which is available for download from the Adobe Web site.

But the oversight, which may reflect nothing more than Apple's need to freeze its code well before discs are pressed and seeded to distribution channels, has provided more ammunition to security companies that have been critical of Apple's claims about Snow Leopard's security improvements.

Such companies, of course, face the possibility of being made redundant when operating system makers like Apple or Microsoft begin building security features into their software. As a consequence, any addition along these lines typically prompts third-party security vendors to shine a spotlight on missteps, mistakes, or glaring failures.

For Apple, alleged security shortcomings appear worse than they might really be because the company's culture of secrecy, which stands in contrast to recent push for better information sharing in the security industry, comes across as lack of concern.

Apple, for example, neglected to inform users that the Snow Leopard upgrade would disable any screensaver password lock that had been in place. This prompted Sophos researcher Chester Wisniewski to complain, "Another change to my security settings without notification or permission? Some changes are necessary and difficult to migrate, but PLEASE tell me about things that affect my safety when using my computer."

That may seem a peevish point to make, but strictly speaking, changes to security settings without notice or permission represent behavior more often seen in malware.

In a security memo released on Wednesday, Intego, a maker of Mac security software, offers a more substantive analysis of the shortcomings of Apple's new security features in Mac OS X 10.6.

"Not only does [Snow Leopard] only scan files from a handful of applications, and only for two Trojan horses, but it didn't even spot all the current variants that we tested," the memo states. "It cannot repair files or scan your Mac to find existing infections. It doesn't detect malware contained in metapackages, making it very simple to distribute malware that will bypass Apple's protection. It cannot scan network volumes, and it won't even see infected files copied from removable media. In short, Apple's anti-malware function in Snow Leopard is notable for the lack of serious protection it provides to Mac users."

There's an element of self-promotion driving observations of this sort, to be sure, but that doesn't necessarily make the points less valid. The challenge for Apple in the coming months will be translating the security touted in its advertising into security practices that actually mitigate risk.

InformationWeek Analytics has published an independent analysis on strategic security. Download the report here (registration required).

For Further Reading:

Complete Apple Snow Leopard Coverage