Snow Leopard Installation Downgrades Flash Player to Vulnerable Version

[coleridge78]

I would just like to say thanks to MacRumors for the heads-up. Sure 'nuf, my Snow Leopard MacBook was on the old version.

How prevalent in the wild are malicious flash pages that take advantage of these vulnerabilities?

They are essentially non-existent, and if they did exist, you wouldn't be vulnerable unless you had reconfigured your browser to use the Flash plugin to read PDFs instead of using Preview.

Sophos, who wrote the inflammatory press release quoted at the top here, have a vested interest in making it sound awful even though there is not a single reported instance of this hitting a user in the wild. Why? They're trying to sell security products to businesses. (Sophos is also known for being much less respectable in this game than, say, Norton--not that Norton is great, but Sophos tends to live in the gutter).

 

[err404]

That context is critical. If this were a vulnerability that was being actively exploited I would absolutely agree that Apple has a responsibility to be far more proactive.

The context is that the vendor has acknowledged a potential vector for remote code execution that would only require the user to visit a compromised site. Most security experts would consider this a 'critical' vulnerability. I don't think that Apple should be rushing to any solution here since, as you said, it is not currently being exploited; however, they do have a long term obligation to address this.

For those saying that this is not big deal: yes, the fix is easy for users who are aware of the problem, but the majority of users aren't.

 

[coleridge78]

The context is that the vendor has acknowledged a potential vector for remote code execution that would only require the user to visit a compromised site. Most security experts would consider this a 'critical' vulnerability. I don't think that Apple should be rushing to any solution here since, as you said, it is not currently being exploited; however, they do have a long term obligation to address this.

For those saying that this is not big deal: yes, the fix is easy for users who are aware of the problem, but the majority of users aren't.

But it doesn't only require the user to visit a compromised site. That's true on Windows, but not on OS X. Not because of some inherent superiority, but just the details of how the browsers on each platform handle PDFs.

 

[err404]

The update for Adobe Flash Player and Adobe AIR, Adobe Reader and Acrobat resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1862).

The update for Adobe Flash Player resolves a privilege escalation vulnerability that could allow someone with desktop access to gain administrative privileges on the Macintosh operating system (CVE-2009-1863).

The update for Adobe Flash Player and Adobe AIR resolves the heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1864).

The update for Adobe Flash Player and Adobe AIR resolves the null pointer vulnerability that could potentially lead to code execution (CVE-2009-1865).

The update for Adobe Flash Player and Adobe AIR resolves the stack overflow vulnerability that could potentially lead to code execution (CVE-2009-1866).

The update for Adobe Flash Player and Adobe AIR resolves a clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog (CVE-2009-1867).

The update for Adobe Flash Player and Adobe AIR resolves the URL parsing heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1868).

The update for Adobe Flash Player and Adobe AIR resolves the integer overflow vulnerability that could potentially lead to code execution (CVE-2009-1869).

The update for Adobe Flash Player and Adobe AIR resolves a local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive (CVE-2009-1870).

 

[err404]

But it doesn't only require the user to visit a compromised site. That's true on Windows, but not on OS X. Not because of some inherent superiority, but just the details of how the browsers on each platform handle PDFs.

I haven't looked into the specifics of each issue, but when you combine privilege escalation and remote code execution, you should not consider yourself safe.

But again. this looks very hard to exploit and there are no know exploits in the wild

 

[coleridge78]

The update for Adobe Flash Player and Adobe AIR, Adobe Reader and Acrobat resolves a memory corruption vulnerability that could potentially lead to code execution (CVE-2009-1862).

The update for Adobe Flash Player resolves a privilege escalation vulnerability that could allow someone with desktop access to gain administrative privileges on the Macintosh operating system (CVE-2009-1863).

The update for Adobe Flash Player and Adobe AIR resolves the heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1864).

The update for Adobe Flash Player and Adobe AIR resolves the null pointer vulnerability that could potentially lead to code execution (CVE-2009-1865).

The update for Adobe Flash Player and Adobe AIR resolves the stack overflow vulnerability that could potentially lead to code execution (CVE-2009-1866).

The update for Adobe Flash Player and Adobe AIR resolves a clickjacking vulnerability that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog (CVE-2009-1867).

The update for Adobe Flash Player and Adobe AIR resolves the URL parsing heap overflow vulnerability that could potentially lead to code execution (CVE-2009-1868).

The update for Adobe Flash Player and Adobe AIR resolves the integer overflow vulnerability that could potentially lead to code execution (CVE-2009-1869).

The update for Adobe Flash Player and Adobe AIR resolves a local sandbox vulnerability that could potentially lead to information disclosure when SWFs are saved to the hard drive (CVE-2009-1870).

Yes, and each of these that have exploits available are related to the same issue with Flash-embedded PDFs, which is not going to affect any Macintosh user unless they've gone out of their way to perversify their system. Any user that has used command-line hacks to change the PDF handling in Safari is capable of being responsible for their own security updates. This should get corrected, but the urgency is very, very low.

 

[Shagrat]

What a pure whine-thread.

Word up!

 

[err404]

Yes, and each of these that have exploits available are related to the same issue with Flash-embedded PDFs, which is not going to affect any Macintosh user unless they've gone out of their way to perversify their system. Any user that has used command-line hacks to change the PDF handling in Safari is capable of being responsible for their own security updates. This should get corrected, but the urgency is very, very low.

Thanks, I did not realize that.

 

[Detektiv-Pinky]

This is another argument I have some sympathy for. Apple could say "Hey, Flash is dumb so you'll need to update it yourself", but I have to think that will only make their issues with Adobe worse. And yeah, not installing it at all would probably be the "right" thing to do, but it just isn't realistic in this era. Flash is mostly used for ****** banner ads, but the one thing almost everyone uses that needs it is YouTube. If YouTube "didn't work" on a Mac, it'd be doomsday.

The bottom line is that Apple is trying to figure out the best line they can here in a crap situation. Adobe are the creators and owners of Flash. It is their responsibility. If they can't figure out a sane way to keep it updated for its own security, they are the proper target of anger.

And I stand by my argument: Apple needs to do something!

I annoys me to hell, that after 1 1/2 years of using a Mac and trying to maintain an up-to-date and secure system, I suddenly find out that it has been my responsibility to update this certain piece of software manually.

There is just no excuse for this.

 

[coleridge78]

And I stand by my argument: Apple needs to do something!

I annoys me to hell, that after 1 1/2 years of using a Mac and trying to maintain an up-to-date and secure system, I suddenly find out that it has been my responsibility to update this certain piece of software manually.

There is just no excuse for this.

But what can Apple do? They should do "something" you say, but it isn't their software and they have no right to do anything to it.

In a larger sense, your expectations are unfortunately unrealistic. No OS vendor, whether it's Apple, Microsoft, Sun, SGI, any of the Linux distributers... none of them can take responsibility for every piece of software on the system, because it's not all their software. That's just how it is and will always be, unless you want personal computers to work like mainframes. If you want IBM to sell you the entire ecosystem, and test and guarantee it... get out your checkbook. And win the lottery.

 

[Krevnik]

Does Windows include flash OOTB? I don't seem to recall that being the case. It has been a while since I have loaded Win7, but it appears to be updated with the latest version. I am not sure if that is due to the Adobe Updater that is installed or not. If it is then why isn't there a Mac version?

It does, for IE.

If you want Flash on any other browser, you have to install it yourself (since Flash for IE apparently isn't compatible with any other browser, or at least not the version installed by default).

This pre-installed version has the exact same flaw that the one Apple includes does: there is no built-in mechanism for updating it via Windows Update... Adobe Update isn't installed by default (and Adobe Update doesn't offer flash updates)... and odds are you don't even know you need to update it yourself.

 

[twoodcc]

oh wow. apple needs to fix this asap. i wonder how they let this happen

 

[coleridge78]

oh wow. apple needs to fix this asap. i wonder how they let this happen

Did you read any of this thread?

 

[JQW]

Sophos, who wrote the inflammatory press release quoted at the top here, have a vested interest in making it sound awful even though there is not a single reported instance of this hitting a user in the wild. Why? They're trying to sell security products to businesses. (Sophos is also known for being much less respectable in this game than, say, Norton--not that Norton is great, but Sophos tends to live in the gutter).

As soon as I saw the name Graham Cluely I knew this would be a minor issue blown out of all proportion. Having met him as well.....

 

[err404]

And I stand by my argument: Apple needs to do something!

I annoys me to hell, that after 1 1/2 years of using a Mac and trying to maintain an up-to-date and secure system, I suddenly find out that it has been my responsibility to update this certain piece of software manually.

There is just no excuse for this.

Apple real was trying to make our lives easier by including Flash in the default install. It backfired because it's difficult to maintain, both technically and legally.
Your risk is really very low and hopefully Apple can find some solution before there is a need to really worry.
If your at all technically savvy, just run the update manually; If not, there isn't much to worry about yet.

 

[Detektiv-Pinky]

But what can Apple do? They should do "something" you say, but it isn't their software and they have no right to do anything to it.

In a larger sense, your expectations are unfortunately unrealistic. No OS vendor, whether it's Apple, Microsoft, Sun, SGI, any of the Linux distributers... none of them can take responsibility for every piece of software on the system, because it's not all their software. That's just how it is and will always be, unless you want personal computers to work like mainframes. If you want IBM to sell you the entire ecosystem, and test and guarantee it... get out your checkbook. And win the lottery.

It seems I am not getting through to you

It is as simple as this: The entity that installs the stuff is responsible to update or explicitly inform the user that it needs to be done manually.

If I had installed Flash myself, I could be expected to update it. Since Apple installed it as part of their OS (I have no Flash icon in my Application folder), it is their responsibility to update or inform me about the fact that I need to do it myself.

 

[jmcguckin]

That this is looking more and more like a release that was not ready for mass consumption? Yes. As I've said before, I'm considering myself extremely lucky to have run across the relatively few issues I've had with Snow Leopard so far, based on the number of gripes from friends of mine and folks here on these forums.

something you need to keep in mind is that the majority (if not all of) these complaints/bug reports are coming from tech-savvy people whose typical workflow includes pushing almost every angle of an OS to its limits (via processor/memory-intensive applications that your average OS X user just plain-and-simple will never use)... as for the overwhelming, satisfied majority who have yet to experience any problems with Snow Leopard, it'd make sense that you wouldn't see them stopping by a forum to rant about it. plus, it's common knowledge that one should inquire from a broad spectrum of individuals before coming to a conclusion about something, thereby avoiding any bias toward/against whatever it is you're inquiring about- and you're going to get an extremely narrow point of view by looking here, IMHO.

as for my experience with Snow Leopard so far, it has been seven days, and I have yet to experience a single bug... and that's while using a wide variety of applications. so to The Razor's conclusion that SL "sucks ass" and that one should essentially avoid it at all costs, and based a very small handful of "bugs,' I have to strongly disagree (no random shut-down/restarts and no networking issues, though about the other two issues, there's a good chance that Microsoft and Adobe will issue SL-compatibility updates for those applications soon).

and finally, in reply to the OT, exactly what about the less than two minutes it should take to download/install this update is causing so many of you to fly off on a rant? I'd give my opinions, but coleridge78 pretty much took the words out of my mouth...

 

[seedster2]

Despite what some of the usual suspects may feverishly try to downplay, Apple is not free of blame here. They're not the worst OS vendor in the world as some would like to sensationalize either.

If they plan to include 3rd party software for their users, they have an obligation to inform them that it may not be a downgrade and in many instances require an update.

The problem isn't just that a third party updater isn't bundled in the OS (doubt they could even do that), but that a user has no idea that their software has been downgraded. That is reprehensible.

 

[coleridge78]

It seems I am not getting through to you

It is as simple as this: The entity that installs the stuff is responsible to update or explicitly inform the user that it needs to be done manually.

If I had installed Flash myself, I could be expected to update it. Since Apple installed it as part of their OS (I have no Flash icon in my Application folder), it is their responsibility to update or inform me about the fact that I need to do it myself.

You got through the first time. I understand and have sympathy for what you're saying.

But in the real world, Apple is not allowed to update Flash (the owners of Flash have not given them the rights to do so), and they cannot realistically not include it (yet, though they're working towards it). Flashing warnings about it will make their efforts to work out issues with Adobe even harder. I just don't see any good options for them, and meanwhile Adobe CAN control it by not abdicating responsibility for their own software's security. I can't really see the sense in being mad at Apple, as opposed to Adobe.

 

[err404]

It seems I am not getting through to you

It is as simple as this: The entity that installs the stuff is responsible to update or explicitly inform the user that it needs to be done manually.

If I had installed Flash myself, I could be expected to update it. Since Apple installed it as part of their OS (I have no Flash icon in my Application folder), it is their responsibility to update or inform me about the fact that I need to do it myself.

Agreed, but give Apple time to come up with a proper solution. In the meantime your risk exposure is still very low.

 

[coleridge78]

Despite what some of the usual suspects may feverishly try to downplay, Apple is not free of blame here. They're not the worst OS vendor in the world as some would like to sensationalize either.

If they plan to include 3rd party software for their users, they have an obligation to inform them that it may not be a downgrade and in many instances require an update.

The problem isn't just that a third party updater isn't bundled in the OS (doubt they could even do that), but that a user has no idea that their software has been downgraded. That is reprehensible.

If a user doesn't realize that re-installing their OS will, well, re-install the OS (back to a certain tested baseline), then their own absurd expectations (that they would never have in any other area of their life, where common sense tends to kick in more often) are reprehensible.

 

[Krevnik]

Why didn't the installer just check the version of the currently installed Flash player? If it's a higher version than the one bundled with the OS - don't touch it! BAM - problem solved!

Because flash uses Installer.app, but doesn't leave a 'receipt'. There is no reliable way for Apple's installer to check for the existence of an installed system-component that doesn't.

Stuff you drop in Applications or your user folder tends to be different, because Apple can identify what is a system file and what isn't. Flash is both user upgradable, and installed by the OS, so without that receipt, the installer can do nothing to detect what version it is.

 

[citi]

Thanks!

I tells me I have version 10,0,22,87 installed.

I was never even aware that I need to install this stuff from Adobe.
Run Leopard with all Security Updates applied, and I find it kind of lame that Apple does not update the stuff it ships on their computers.

Technically, you don't need the update unless the site you are going to is using advanced features of CS4 Flash. The reason you haven't seen an update request because the flash sites you visit are probably setting the compatibility for earlier versions of flash. I always set my sites to at least Flash 8. You can't guarantee, as you have just witnessed, that everyone is running the latest greatest.

If you needed an upgrade, the site you are visiting would typically tell you to upgrade you.

 

[lowbatteries]

You have really bought Apple's side of the coin, haven't you? Flash is a fantastic product that has delivered so much for the Internet as we know it today.

However, there is a dispute between Apple and Macromedia, so that is the reason for Flash hogging a bit too much resources on the Mac. Flash in itself is a good product but you have really bought into Apple's campaign of making Macromedia and Flash look bad.

Seriously? Flash is a non-standardized, closed and binary format that is a drain on the internet. If flash didn't exist, SVG and other standard technologies would be flourishing. Even Adobe fought against Flash until they bought Macromedia. Luckily Apple is still putting up the good fight with Webkit.

Funny how I only hear Mac users complaining about Flash. It's a very Mac-ish, chic and elite thing to complain about Flash I suppose. And don't flatter yourself by saying that you are more technically inclined than Windows and Linux users, it'd just be sad.

I've been complaining about Flash since the first day I hi "View Source" in Internet Explorer on Windows 98 and got NOTHING. If you can't view the source, its not the web.

Until most internet video sites get off their rear and start using technologies that don't suck as bad as flash we're pretty much stuck with it.

YouTube has already moved to a flash-neutral video format, and Vimeo is headed that direction. I think that covers the majority of online video. The end for flash video is near.

Well that sucks for Apple, but by including Flash they assume the responsibility for keeping it secure.
A user has not way of knowing what third party components are installed by the OS and have no obligation to search out fixes for apps they didn't install.

I completely agree. I've never seen Software Update offer me a Flash upgrade, either, so it looks like most users will be stuck with it until the next time they update their OS.

The bottom line is that Apple is trying to figure out the best line they can here in a crap situation. Adobe are the creators and owners of Flash. It is their responsibility. If they can't figure out a sane way to keep it updated for its own security, they are the proper target of anger.

I reallly wish (as a developer) Flash had some auto-upgrade feature. They really should just because of the security implications. A lot of people are stuck on Flash 8 or 9, which besides having serious security holes, also don't support standard h.264 video, so I have to encode my videos twice - once for old Flash and once for new Flash/iPhone/Safari.

 

[diamond.g]

How many people were using a new version tho, as Flash doesn't automatically update itself from what I've noticed.

This is something that I am curious about as well. If flash doesn't popup with a notfication that there is a newer version then how many users actually upgraded to the latest version?