back to article Snow Leopard forces silent Flash downgrade

Apple has bundled a vulnerable version of Flash with Snow Leopard. As a result, Mac users who upgrade their operating system will be left exposed to Adobe Flash-based attacks - even if they had previously kept up to date with patches. The latest version of Flash Player for Mac is version 10.0.32.18. Applying Snow Leopard loads …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Ah ha!

    Now that we know about it, we'll all install the latest version as soon as we upgrade the OS...

  2. Dave 142

    flash

    good job I have flash disabled to avoid annoying adverts then!

  3. ThomH

    Apple upset me

    I now use Macs exclusively owing to the nature of my employment, but I really wish they could be more like Microsoft in terms of becoming proactive towards security issues.

  4. Anonymous Coward
    Thumb Down

    Shock

    All 10 users will need to be aware.

  5. Annihilator
    Paris Hilton

    Flash.. aaaaa-aaaaaahhh...

    Why is Flash even bundled with SL?

  6. Sergie Kaponitovicz
    Pint

    My Golden Rule...

    ..is never upgrade any OS to Vx.0; my livelihood depends upon a smooth running Mac/PC network. Once again, I am proven right.

    I love early adopters, they take the pain out of my life.

    On a different note, but still on-topic, the article by Tim Anderson - W7 v OS10.6 - is one of the best reviews I have ever read. Unbiased to the extreme. Bravo!

  7. Pollo

    @ThomH

    Seriously?

    I don't want to start a flame war, but I wonder what you consider 'pro-active'.

    1) releasing security updates in a timely fashion before the details have been released to the hacker/script-kiddy community (mostly) a-la Apple or

    2) waiting 6 months for maximum damage to be done after making a big fanfare announcement about the forthecoming fix (including details of how to implement the exploit) and then finally patching - a-la guesswho

    I may be wrong of course, but this certainly seems to be my perception of each companies approach to fixing the bugs that will inevitably occur in any software development cycle.

    This one to be honest just seems like a genuine error in checking versions. Not inexcusable but totally understandable in how it happened.

  8. Dan Wilkinson
    Badgers

    Title

    Is this the worst thing that anyone has found, such that it deserves an article on it's own? I mean, a plugin for displaying Ads (on the whole) is back level by (wait for it) not a major number, not even a minor number, but 10.0.23.1 instead of 10.0.32.18?

    Ah, but now I'm exposed to a raft of potential attacks and exploits which have been targeted on Adobe's software in recent months! Oh, but now Safari plugins are sandboxed, so the exploits won't work anyway.

    @Sergie Kaponitovicz

    With pain as minimal as this, you risk losing out on the pleasure

    @Pollo

    This is actually a bad line of attack, there have been numerous known issues that it's taken Apple as much as 6 months to fix (Perl and DNS builds being back level for one). Microsoft's security updates are actually pretty good, albeit largely because they HAVE to be in order to stay above water. Sometimes Apple are lax in this area.

  9. nicolas
    Flame

    flash ads

    I recommend the installation of "clickToFlash". It's a free plugin. So simple and efficient, all flash embeds are disabled by default, and only activate when you click on them.

    brilliant !!

    (And I'm not related to this piece of software).

    Anyway, the guy responsible for this downgrade should have his urethra filled with sizzling spicy curry. (flame 'cos, you know...)

  10. magnetik

    release dates

    10.0.32.18 was released at the end of July. At what point would Apple start having the install disks manufactured? Surely it'd take at least a few weeks to have several million dvds made and distributed to retail stores?

  11. Douglas Lowe

    @Pollo

    I think ThomH was being sarcastic ;-)

  12. Nexox Enigma

    @Douglas Lowe

    """I think ThomH was being sarcastic ;-)"""

    Probably not, it's been reasonably well documented that when contacted, Apple will tell security researchers to shove off, then try to sue when researches go public, usually denying that they corresponded about the vulnerability at all. MS has patched some major problems days after they went public, and their security teams are supposed to be receptive when contacted with vulnerability information about their products.

    All in all this doesn't seem too surprising, since someone mentioned this was probably the latest version at dvd master time, and your average OSX major version 'upgrade' is just a full reinstall that happens to hang onto your home folder, which would imply replacement of whatever Flash you had.

    It's worth the article so that people will hopefully read and update before they get owned too hard.

  13. Dave 142

    @nexox

    If Apple do tell all security researchers to shove off how come security updates come with credits for the researcher who told them about it? e.g. http://support.apple.com/kb/HT3757

  14. Dave 142

    getting owned

    "It's worth the article so that people will hopefully read and update before they get owned too hard."

    seeing as safari sandboxs plugins I doubt there'll be any trouble for a while anyway.

  15. Dave 129

    @Dave 142

    "seeing as safari sandboxs plugins I doubt there'll be any trouble for a while anyway."

    OK, you go rely on that (and that was only introduced with Safari 4 I believe?), in the mean time everyone else can upgrade and be doubly sure of not getting into trouble. I just don't understand the "head-in-the-sand" mentality of some Mac users, of which you seem to be one. "Don't worry everyone, feature X will protect us" until feature X happens to have a hole so wide you can drive a tank through it...

    Keeping up-to-date with security updates and bug fixes is a fact of life and you are treading dodgy ground for not doing so on ANY platform - be it Mac, Windows, Linux, Unix or whatever else.

  16. The Saint

    More Secure???

    Oh fan-boys, come hither and explain how the "ignorant masses" miss it; that is, how Apple is better than anything else. Huh? What? Now, 1) focus on grammar mistakes, 2) detail how it worked before, 3) how yours works now, 4) how the articles got it all wrong, and my favorite, 5) it's simply a slow news day.

  17. John 158
    Stop

    Don't Upgrade Flash!!!

    I had the latest version of flash on leopard and its fuxored, it could make 5 connections then you would have to actually quit whichever browser you were using, before it could make any more. Games like kdice wouldn't work, and I was somewhat pissed off.

    I upgraded to snowleopard, and having read a similar article I tested it and now everything works perfectly. Go apple, ftw.

    Plus being that plugins are now sandboxed its hardly a massive issue.

  18. Outcast !!!
    FAIL

    HAHA

    Apple FAILED!

  19. JimFromOhio

    Ho hum

    I wonder how many OS X users had the latest Flash Player version installed anyway?

    Regardless, it took all of about 30 seconds to upgrade back to the current one.

  20. Giles Jones Gold badge

    Flashblock

    What kind of a berk lets flash run without permission anyway?

    Install Flashblock plugin for Firefox, job done.

  21. Big-nosed Pengie

    @ThomH

    "I now use Macs exclusively owing to the nature of my employment, but I really wish they could be more like Microsoft in terms of becoming proactive towards security issues."

    Where's the LMAO icon? Classic win, Tom. :-)

  22. Anonymous Coward
    Stop

    @Giles Jones

    Your regular user who doesn't use the PC for anything other than browsing the web, downloading random software and editing pictures?

    What was the name of that hacking competition? If I could remember I'd link, but iirc all the major OSes were secure from base install until they installed Flash and started attacking it. What does that tell you?

  23. SinisterDexter
    Thumb Up

    Firefox saves the day

    Just installed the Sno Leppard, followed by the inevitable Firefox install. FF warned me straight away that Flash was out of date and provided a link to the latest version. Problem solved before I was aware of any issues. Cheers Mozilla!

  24. David Pickering
    FAIL

    my heart bleeds

    for all the vulnerable (cr)apple users out there.

    apple loves you - no really.

  25. Dave 142

    @ Dave 129

    I'll let you know when I get hacked, don't worry.

  26. James O'Brien
    Troll

    @Dave 129

    ROFL Nice one, "I just don't understand the "head-in-the-sand" mentality of some Mac users, of which you seem to be one.". My sentiments exactly. What I have never understood was the thought that this OS is so secure because it has no viruses (virii?) out for it. Maybe the reason for that is BECAUSE ITS USED BY SO FEW?

    Anyway I absolutely love the fanbois(twats?) that come and blast every M$ article but the second people start to do the same to their OS of choice either A) are suddenly quiet, B) attack those who comment on the inherit flaws documented by the news or C) Come out with a brown nose and sticky white lips from Gates/Jobs/Torvalds/Stallman and say their shit don't stink.

    /Im a PC and Im a Twat

  27. magnetik

    @James O'Brien

    "Maybe the reason for that is BECAUSE ITS USED BY SO FEW?"

    Estimates put the number of Macs in use between 25 and 27 million. Few? I think not !

    Please don't spread this stupid "market share = viruses" myth. There were plenty of viruses for MacOS 9 which had a third of OS X's market share. There was even a Linux iPod virus in the wild though the number of those devices is only a few thousand worldwide. Linux powers around half of the servers connected to the internet and it has how many viruses?

    Macs are far from bulletproof but spreading FUD like that makes you look like an idiot.

  28. Graham Perrin

    In what way is 10.0.23.1 vulnerable?

    http://www.adobe.com/support/security/bulletins/apsb09-10.html describes "Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions" as affected — without reference to 10.0.23.x.

  29. Blain Hamon
    Coffee/keyboard

    Time to untwist panties

    10.6.1 has the latest version of flash as part of the patch.

This topic is closed for new posts.

Other stories you might like