[Infowarrior] - Apple silently downgrades Flash to vuln version

Thu Sep 3 11:29:51 UTC 2009

Apple ships a known vulnerable version of Flash with Snow Leopard

http://www.sophos.com/blogs/gc/g/2009/09/02/apple-ships-vulnerable-version-flash-snow-leopard/

The last thing you expect when you upgrade your operating system, is  
that you will have some of your security silently downgraded.

But that's precisely what seems to have happened with Mac OS X Snow  
Leopard, which ignores that you have been keeping Adobe Flash up-to- 
date and downgrades it to an earlier version, as the following YouTube  
video shows:

So, lets explain what's going on here. Imagine you have a Mac. Imagine  
you have been really diligent about keeping your copy of Adobe Flash  
up-to-date (Adobe is commonly targeted by the bad guys, and so Adobe  
has been releasing regular security updates for Flash and PDF Reader)

Now, imagine (like me) you got your copy of Snow Leopard on Friday,  
and have now updated your computers.

Unfortunately during the course of that update (and unknown to you)  
Apple downgraded your installation of Flash to an earlier version  
(version 10.0.23.1), which is known not to be secure and is not  
patched against various security vulnerabilities.

The version you should be running is the latest version of Flash  
Player for Mac - 10.0.32.18.

Mac users are not informed that Snow Leopard has downgraded their  
version of Flash without permission, and that they are now exposed to  
a raft of potential attacks and exploits which have been targeted on  
Adobe's software in recent months.

I urge all Mac users who have upgraded to Snow Leopard to double-check  
that their version of Adobe Flash is current and - if not - update it  
immediately from http://get.adobe.com/flashplayer/

This should be done as a matter of priority. Adobe is the "new  
Microsoft" when it comes to security vulnerabilities, with hackers  
targeting their software looking for vulnerabilities to exploit. This  
has lead the company to follow Microsoft's example by releasing  
regular security updates.

Mac users who have been diligent enough to keep their security up-to- 
date do not deserve to be silently downgraded. We know that hackers  
keep finding security holes in Adobe's code - and that's deeply  
concerning because it is so widely used by many internet users,  
whether on Mac or PC.

It's vital, therefore, that users ensure they are running the latest  
version - and that, in the future, operating system manufacturers do  
not reduce their customers' level of security without warning.

If you're not sure which version of Adobe Flash you have on your  
computer (whatever operating system you use), take 30 seconds to visit  
their website. Adobe will not only tell you what version of Flash you  
are running, they will also tell you what version you should be running.

Update: Chet has blogged about other security oddities he's seen when  
upgrading from Leopard to Snow Leopard, and claims that Apple has  
missed an opportunity to improve.

Posted on September 2nd, 2009 by Graham Cluley, Sophos