Apple has bundled a vulnerable version of Flash with Snow Leopard. As a result, Mac users who upgrade their operating system will be left exposed to Adobe Flash-based attacks - even if they had previously kept up to date with patches. The latest version of Flash Player for Mac is version 10.0.32.18. Applying Snow Leopard loads …
Now that we know about it, we'll all install the latest version as soon as we upgrade the OS...
good job I have flash disabled to avoid annoying adverts then!
Apple upset me
I now use Macs exclusively owing to the nature of my employment, but I really wish they could be more like Microsoft in terms of becoming proactive towards security issues.
All 10 users will need to be aware.
Why is Flash even bundled with SL?
My Golden Rule...
..is never upgrade any OS to Vx.0; my livelihood depends upon a smooth running Mac/PC network. Once again, I am proven right.
I love early adopters, they take the pain out of my life.
On a different note, but still on-topic, the article by Tim Anderson - W7 v OS10.6 - is one of the best reviews I have ever read. Unbiased to the extreme. Bravo!
I don't want to start a flame war, but I wonder what you consider 'pro-active'.
1) releasing security updates in a timely fashion before the details have been released to the hacker/script-kiddy community (mostly) a-la Apple or
2) waiting 6 months for maximum damage to be done after making a big fanfare announcement about the forthecoming fix (including details of how to implement the exploit) and then finally patching - a-la guesswho
I may be wrong of course, but this certainly seems to be my perception of each companies approach to fixing the bugs that will inevitably occur in any software development cycle.
This one to be honest just seems like a genuine error in checking versions. Not inexcusable but totally understandable in how it happened.
Is this the worst thing that anyone has found, such that it deserves an article on it's own? I mean, a plugin for displaying Ads (on the whole) is back level by (wait for it) not a major number, not even a minor number, but 10.0.23.1 instead of 10.0.32.18?
Ah, but now I'm exposed to a raft of potential attacks and exploits which have been targeted on Adobe's software in recent months! Oh, but now Safari plugins are sandboxed, so the exploits won't work anyway.
With pain as minimal as this, you risk losing out on the pleasure
This is actually a bad line of attack, there have been numerous known issues that it's taken Apple as much as 6 months to fix (Perl and DNS builds being back level for one). Microsoft's security updates are actually pretty good, albeit largely because they HAVE to be in order to stay above water. Sometimes Apple are lax in this area.
I recommend the installation of "clickToFlash". It's a free plugin. So simple and efficient, all flash embeds are disabled by default, and only activate when you click on them.
(And I'm not related to this piece of software).
Anyway, the guy responsible for this downgrade should have his urethra filled with sizzling spicy curry. (flame 'cos, you know...)
10.0.32.18 was released at the end of July. At what point would Apple start having the install disks manufactured? Surely it'd take at least a few weeks to have several million dvds made and distributed to retail stores?
I think ThomH was being sarcastic ;-)
"""I think ThomH was being sarcastic ;-)"""
Probably not, it's been reasonably well documented that when contacted, Apple will tell security researchers to shove off, then try to sue when researches go public, usually denying that they corresponded about the vulnerability at all. MS has patched some major problems days after they went public, and their security teams are supposed to be receptive when contacted with vulnerability information about their products.
All in all this doesn't seem too surprising, since someone mentioned this was probably the latest version at dvd master time, and your average OSX major version 'upgrade' is just a full reinstall that happens to hang onto your home folder, which would imply replacement of whatever Flash you had.
It's worth the article so that people will hopefully read and update before they get owned too hard.
If Apple do tell all security researchers to shove off how come security updates come with credits for the researcher who told them about it? e.g. http://support.apple.com/kb/HT3757
"It's worth the article so that people will hopefully read and update before they get owned too hard."
seeing as safari sandboxs plugins I doubt there'll be any trouble for a while anyway.
"seeing as safari sandboxs plugins I doubt there'll be any trouble for a while anyway."
OK, you go rely on that (and that was only introduced with Safari 4 I believe?), in the mean time everyone else can upgrade and be doubly sure of not getting into trouble. I just don't understand the "head-in-the-sand" mentality of some Mac users, of which you seem to be one. "Don't worry everyone, feature X will protect us" until feature X happens to have a hole so wide you can drive a tank through it...
Keeping up-to-date with security updates and bug fixes is a fact of life and you are treading dodgy ground for not doing so on ANY platform - be it Mac, Windows, Linux, Unix or whatever else.
Oh fan-boys, come hither and explain how the "ignorant masses" miss it; that is, how Apple is better than anything else. Huh? What? Now, 1) focus on grammar mistakes, 2) detail how it worked before, 3) how yours works now, 4) how the articles got it all wrong, and my favorite, 5) it's simply a slow news day.
Don't Upgrade Flash!!!
I had the latest version of flash on leopard and its fuxored, it could make 5 connections then you would have to actually quit whichever browser you were using, before it could make any more. Games like kdice wouldn't work, and I was somewhat pissed off.
I upgraded to snowleopard, and having read a similar article I tested it and now everything works perfectly. Go apple, ftw.
Plus being that plugins are now sandboxed its hardly a massive issue.
I wonder how many OS X users had the latest Flash Player version installed anyway?
Regardless, it took all of about 30 seconds to upgrade back to the current one.
What kind of a berk lets flash run without permission anyway?
Install Flashblock plugin for Firefox, job done.
"I now use Macs exclusively owing to the nature of my employment, but I really wish they could be more like Microsoft in terms of becoming proactive towards security issues."
Where's the LMAO icon? Classic win, Tom. :-)
Your regular user who doesn't use the PC for anything other than browsing the web, downloading random software and editing pictures?
What was the name of that hacking competition? If I could remember I'd link, but iirc all the major OSes were secure from base install until they installed Flash and started attacking it. What does that tell you?
Firefox saves the day
Just installed the Sno Leppard, followed by the inevitable Firefox install. FF warned me straight away that Flash was out of date and provided a link to the latest version. Problem solved before I was aware of any issues. Cheers Mozilla!
my heart bleeds
for all the vulnerable (cr)apple users out there.
apple loves you - no really.
@ Dave 129
I'll let you know when I get hacked, don't worry.
ROFL Nice one, "I just don't understand the "head-in-the-sand" mentality of some Mac users, of which you seem to be one.". My sentiments exactly. What I have never understood was the thought that this OS is so secure because it has no viruses (virii?) out for it. Maybe the reason for that is BECAUSE ITS USED BY SO FEW?
Anyway I absolutely love the fanbois(twats?) that come and blast every M$ article but the second people start to do the same to their OS of choice either A) are suddenly quiet, B) attack those who comment on the inherit flaws documented by the news or C) Come out with a brown nose and sticky white lips from Gates/Jobs/Torvalds/Stallman and say their shit don't stink.
/Im a PC and Im a Twat
"Maybe the reason for that is BECAUSE ITS USED BY SO FEW?"
Estimates put the number of Macs in use between 25 and 27 million. Few? I think not !
Please don't spread this stupid "market share = viruses" myth. There were plenty of viruses for MacOS 9 which had a third of OS X's market share. There was even a Linux iPod virus in the wild though the number of those devices is only a few thousand worldwide. Linux powers around half of the servers connected to the internet and it has how many viruses?
Macs are far from bulletproof but spreading FUD like that makes you look like an idiot.
In what way is 10.0.23.1 vulnerable?
http://www.adobe.com/support/security/bulletins/apsb09-10.html describes "Adobe Flash Player 126.96.36.199 and 10.0.22.87 and earlier 9.x and 10.x versions" as affected — without reference to 10.0.23.x.
Time to untwist panties
10.6.1 has the latest version of flash as part of the patch.
- Review Xperia Z3: Crikey, Sony – ANOTHER flagship phondleslab?
- Pics Whisper tracks its users. So we tracked down its LA office. This is what happened next
- Human spacecraft dodge COMET CHUNKS pelting off Mars
- Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
- Downrange Are you a gun owner? Let us in OR ELSE, say Blighty's top cops