Snow Leopard Installation Downgrades Flash Player to Vulnerable Version

[charlituna]

Sophos, who wrote the inflammatory press release quoted at the top here, have a vested interest in making it sound awful even though there is not a single reported instance of this hitting a user in the wild. Why? They're trying to sell security products to businesses.

yep. right up with Intego being the ones to diss the very not at all advertised built in malware as being shoddy cause it only detects 2 pieces of malware (out of the 3 pieces out there for a Mac) and mislabeled one of them as variant A when it was really variant B.

 

[iSee]

Man, what a lot of post-age over so little.

This is just a little release conflict between Apple and Adobe. Adobe happened to release a new version of Flash Player after the cut-off for inclusion in SL. Did you want Apple to push back the release date of SL

So anyone who dilligently updates their Flash Player will go one step back when they install SL...

Big deal

Presumably, dilligent updaters will remain true-to-form and dilligently re-update Flash Player shortly.

Summary: two steps forward, one step back, one step forward again == no big deal

 

[Eidorian]

And that's Adobe's fault? C'mon..

I will say this, however: Flash does not play well with Safari. Actually, media in general doesn't run well in Safari!! I've had no problems or performance issues using Flash in Firefox running on OS X. I also develop Flash applications on this system, and still no problems. I honestly don't know what people are complaining about or why their computers run poorly.

I can't run Hulu fullscreen under OS X even with the latest plug-in. I have to boot into Windows 7 for that and it works just fine. It's still eating plenty of CPU time but it is full playback speed. Silverlight is better under OS X for video.

I've had to do damage control on other sites about the default plug-in in Snow Leopard being an older version. I got spammed with Activity Monitor CPU% screen shots and complaints about Apple, Adobe, Flash, etc.

 

[wonderbread57]

No, it's lies. OSX is not vulnerable to anything anytime anywhere. Those commercials said it's PCs and windows that's vulnerable to stuff like that. C'mmon people, we're talking Apple. AAAPPPPLLLLEEE. Vulnerability? It doesn't exist!

 

[justfine]

Is anyone else who upgraded Flash dealing with this?????

Now safari semi-crashes when I go to print....seconds after installing the current Flash update????

I installed the flash update yesterday. I just printed this page. My Canon printer appeared in the print box and its driver was auto loaded. The page was loaded, the printer did its job (in greyscale, no sense using color for a test), and that's that. Total time including loading the driver and printing...maybe 2 minutes. Wirelessly as the printer is connected to my TC.

As for SL, everything is faster, much faster on my 1st gen MBAir. And with only an 80G hd I gained 10 G! Yes, 10 additional GB. My machine went from 30 available G's to over 40. Startup and shut down and reboots are about half the previous times. I couldn't be happier, especially as my wife received the recent purchaser SL upgrade disc for $10. Arrived Monday.

Such A Deal!

 

[DELTAsnake]

The 3rd party software on Snow Leopard seems a little out of date, the nVidia and ATi drivers are from early July.

 

[AidenShaw]

Every install of Windows I've done has included Flash, but I'll admit that I haven't installed every variety of every version of Windows (and haven't touched 7 at all yet).

The Microsoft kits do not include Flash. An OEM Windows kit can include Flash in the bundle of bloatware that the OEM adds.

Most websites that need flash will launch a popup to install the Flash ActiveX control, so the Flash malware will be installed if the user clicks OK.

 

[Daveoc64]

It disgusts me how people can defend Apple over this.

Not only is this OLD version of Flash vulnerable, it happens to perform worse too.

There's absolutely no excuse for an upgrade replacing software with versions that have security issues.

People need to admit that Apple isn't perfect.

 

[iMaggot]

Mine was out of date as well, Apple needs to be more responsible and let us know if something in SL is out of date .

 

[AidenShaw]

I'll have to defend Apple on this one....

Not only is this OLD version of Flash vulnerable, it happens to perform worse too.

There's absolutely no excuse for an upgrade replacing software with versions that have security issues.

It's difficult to run something as complicated as an operating system through quality assurance - you have to pick a set of files (the OS build, plus other tools and 3rd party apps) from a point in time, and test those, and if the tests pan out you ship those.

Clearly an application change, even a security update, that occurs after that point in time is not included. (If the "point in time" snapshot doesn't include fixes that were published before the "point in time", then criticism is due.)

Look at it another way - what if tomorrow (2009/09/04) Adobe patches a critical security flaw in Flash.... What if you're running 10.5.999, and you patch your system from Adobe.... What if you upgrade to 10.6 next week.... Do you blame Apple for exposing you to a flaw that you've fixed on your system, even though that fix wasn't known when the DVDs were pressed?
______

The only potential for criticizing Apple is whether running software update immediately after upgrading the OS fixes the problem.

With the "continual improvement" philosophy in Windows Update, one expects to run Windows Update immediately after an install, and you expect that problems like this will be taken care of. (People who install Windows 7 on the October 22 launch will see a bunch of updates waiting....)

If Apple users have to wait for Apple to test and release 10.6.1 to fix a known vulnerability - well, that's not so good if they have to wait a long time to fix a problem....

 

[windywoo]

Flash isn't installed by default in Windows, although if you visit a Flash site in Internet Explorer the installation is almost transparent. Some replies here seemed to assume that it was.

It's Apple's need to make everything "just work" that leads them to installing Flash by default, which to my mind leads to it being their responsibility to make sure its up to date, or at the very least warning the user when an update is required.

Come to think of it when an update is needed on Windows for Flash I get a warning, why doesn't the same happen on OSX? Is Adobe just being lazy?

Can't have everything your own way. 5% marketshare means little attention from developers.

 

[Daveoc64]

The only potential for criticizing Apple is whether running software update immediately after upgrading the OS fixes the problem.

With the "continual improvement" philosophy in Windows Update, one expects to run Windows Update immediately after an install, and you expect that problems like this will be taken care of. (People who install Windows 7 on the October 22 launch will see a bunch of updates waiting....)

If Apple users have to wait for Apple to test and release 10.6.1 to fix a known vulnerability - well, that's not so good if they have to wait a long time to fix a problem....

Given that 10.6.1 will include the update, but is not out yet (and SL has now been out for a week - plus they've had a long time since the GM was published) I'd say the time has passed for Apple to claim any praise for a quick update. They could have put out a security update using Software Updater just to fix this problem, it would be small and quick (and I don't think it would have needed a reboot).

Microsoft has taken a cautious approach with both Windows 7 and Vista, leaving quite a long period of time between RTM and the release to the general public. The updates for Windows 7 so far have been to fix issues discovered since the RTM, not before it.

I think Mac OS X's biggest security weakness is Apple's attitude. They include a lot of different things with the OS, quite a few of them most users wont ever use, and then they're slow to update them. Look at the DNS issue a while ago. Everyone else shipped their updates quickly, but Apple doesn't see these 3rd party additions as a high priority, yet there's very little users can do themselves to keep secure. You can't manually install an update for the built-in JVM, because Apple makes it. Sure you can install a different JRE, but the Apple one is still there.

Frequently they leave security holes open, because they're slow to respond.

 

[alleycat]

It disgusts me how people can defend Apple over this.

Not only is this OLD version of Flash vulnerable, it happens to perform worse too.

There's absolutely no excuse for an upgrade replacing software with versions that have security issues.

People need to admit that Apple isn't perfect.

Much agreed. The fanboys here and elsewhere need to realize that this particular OS has caused a lot of problems across the board, more than usual I think. This is the buggiest since the first release of OS X 10.0. For that very reason I stayed on OS 9.2.2 in those days.

I've read that brand new Mac Pros out of the box are having problems with Snow Leopard, which makes me feel a little bit better with my "antique" Mac Pro having the same problems.

 

[Eidorian]

I understand that feature sets got frozen and an older Flash plug-in made it in. It's just annoying that on DAY ONE we didn't have a security update addressing it.

I can imagine 10.6.1 discs are going to be pressed out very soon. Windows 7 isn't out to retail and it already has fixes waiting.

 

[AidenShaw]

Given that 10.6.1 will include the update, but it is not out yet (and SL has now been out for a week - plus they've had a long time since the GM was published) I'd say the time has passed for Apple to claim any praise for a quick update. They could have put out a security update using Software Updater just to fix this problem, it would be small and quick (and I don't think it would have needed a reboot).

Microsoft has taken a cautious approach with both Windows 7 and Vista, leaving quite a long period of time between RTM and the release to the general public. The updates for Windows 7 so far have been to fix issues discovered since the RTM, not before it.

I think that we agree.

The issue isn't whether the bits on the 10.6 DVD contain applications with problems that are known today (or next week, or next month).

The issue is whether running Software Update immediately after running the 10.6 DVD fixes those known problems - or whether one needs to wait for fixes.

It seems like Microsoft has a better approach for this issue. (For example, Vista SP1 was a couple of dozen MB for people who were running Microsoft update, even thought the SP1 "combo update" was several hundred MB. Most of the fixes/improvements in SP1 had been pushed out long before SP1 was shipped.)

Windows 7 isn't out to retail and it already has fixes waiting.

Yes, but there are millions of people running Windows 7 now - far more than are running 10.6....

 

[Felix01]

This is the buggiest since the first release of OS X 10.0.

Huh? You jest, this is one of the most stable major releases we've had since X hit the streets in Mar '01.

 

[yettimillan]

So how do we make sure that all our apps like flash are up to date because I used the apple software update and it didn't give me the new flash version??

 

[farleysmaster]

Huh? You jest, this is one of the most stable major releases we've had since X hit the streets in Mar '01.

+1

Leopard had some stupid bugs in 10.5.0 (the usb file transfer one, for instance) and a bunch of annoying glitches. This has been much more pleasurable. I got my first mac with something like 10.4.6 which was fine. But I read about 10.4.0 being horrible when I was reading about 10.5.0's bugs...

 

[Bubba Satori]

Huh? You jest, this is one of the most stable major releases we've had since X hit the streets in Mar '01.

Based on what info ?

 

[farleysmaster]

Based on what info ?

Surely the other argument is the one that came first and the one that needs evidencing...

 

[Bjohnson33]

In my view this is a minor issue as it's really up to the end user to ensure that they have the latest patched versions of third-party software.

I agree - this may be making a mountain out of a molehill.

 

[UtahWJR]

Will Apple go back at some point and create a new distribution for the retail channel when issues like this happen or do they just rely on the update process?

 

[Eidorian]

Will Apple go back at some point and create a new distribution for the retail channel when issues like this happen or do they just rely on the update process?

New discs with 10.6.1 or 10.6.2 will be pressed once those updates are out.

I believe we got up to 10.5.6 under Leopard for retail.

 

[Infrared]

Does Windows include flash OOTB? I don't seem to recall that being the case. It has been a while since I have loaded Win7, but it appears to be updated with the latest version. I am not sure if that is due to the Adobe Updater that is installed or not. If it is then why isn't there a Mac version?

It does, for IE.

Are you sure about that?

I don't use IE, so I never installed Flash for it. But I tested
just now at the Flash version check page:



Javascript is enabled. That is the 32-bit version of IE 8.

 

[TuffLuffJimmy]

New discs with 10.6.1 or 10.6.2 will be pressed once those updates are out.

I believe we got up to 10.5.6 under Leopard for retail.

Actually....

They only update the disks every few OS updates.