Adobe Flash Player Snow Leopard

Apple is silently downgrading users of Mac OS X 10.6, code-named Snow Leopard, to an old, vulnerable version of Adobe Flash Player. According to Sophos, users who upgrade to Snow Leopard are left. If Safari 5.1.7 or Leopard Security Update 2012-003 detects an out-of-date version of Flash Player on your system, you will see a dialog informing you that Flash Player has been disabled. Renowned security expert Sophos has discovered that Apple is downgrading Mac OS X 10.6 users to an old, vulnerable version of Adobe Flash Player (10.0.23.1), which is susceptible to attacks.

Saturday, 5 September 2009

Adobe Flash Player Snow Leopard Pro

(9:30pm ET: See updates one and two, inline below.)

Jeffrey Czerniak answers my “What should Apple have done differently?” question:

John Gruber’s latest piece of Apple apologetics concerns the factthat Apple shipped a known-vulnerable version of Adobe Flash Playeron the Snow Leopard DVD. He has the gall to ask those of us whoconsider this a bad thing,

But what exactly should Apple have done differently?

Gruber apparently considers the possibility of postponing therelease of Snow Leopard in order to coordinate with Adobe to beunreasonable. If postponing Snow Leopard is out-of-bounds, then Ihave another suggestion:

Apple could have posted a security advisory.

Is it possible in the run-up to going GM that a serious issue could be discovered that would warrant postponing the release of a major OS update? Sure. That’s exactly why GM releases aren’t rushed. Is this Flash situation such an issue? I believe not — and have seen no evidence that it is.

As for Apple issuing a security advisory, sure. That would be nice. But that’s not how Apple rolls. Apple’s policy regarding security issues is not to publicize them until after they’ve been addressed by software updates. It’s not unreasonable at all to disagree with this policy, but I think Apple is pretty happy with how it’s worked out for them so far, so don’t hold your breath waiting for it to change.

Why Doesn’t the Snow Leopard Installer Do the Right Thing if You’ve Already Installed the Latest Version of Flash?

Mike Ash — on Twitter here, here, here, and etc. — argues that the problem is specifically the issue of the installer downgrading the version of Flash for users who manually upgraded to the latest version of Flash while they were on 10.5. (Forgive him for his brevity, given the constraints of Twitter.)

I have no sympathy for the argument that Apple should have included an eight-day-old version of Flash in the Snow Leopard installer, or that they should have delayed the release of Snow Leopard to include it. I do have sympathy for the argument, like Ash’s, that the installer ought not replace a newer version with an older one.

And there’s a good — but, alas, in my research, unanswered — technical question as to why this did not in fact work as Ash and others expected. The Mac OS X Installer system relies on “bill of materials” bom files. From the bom man page:

The Mac OS X Installer uses a file system “bill of materials” todetermine which files to install, remove, or upgrade. A bill ofmaterials, bom, contains all the files within a directory, alongwith some information about each file. File information includes:the file’s UNIX permissions, its owner and group, its size, its timeof last modification, and so on. Also included are a checksum ofeach file and information about hard links.

The bill of materials for installed packages are found within thepackage receipts located in /Library/Receipts.

In theory, the Snow Leopard installer could look at the bom for Flash and, if the installed version is greater than the version in the installer, leave it. I do not know why it doesn’t work this way. Perhaps the bom file left by Adobe’s Flash installer is malformed. Perhaps (and this is my guess) the installer for major OS versions does not check for such things for components in the “Essentials” and “BaseSystem” installer packages. (Flash, and all other default items in the /Library/Internet Plug-Ins/ folder, are part of the Essentials package.)

Yesterday, as a hypothetical example, I wrote:

That’s just how the installer works. The same is true for anycomponent you manually upgrade. Like, say, if you overwrote thesystem version of Python with version 2.6.2 — when you upgrade toSnow Leopard, the installer will give you the system standardversion (2.6.1).

Ends up I chose a bad example, because this is not true. DF reader Jonathan Lundell emailed me to report that he had in fact upgraded his system version of Python to version 2.6.2 while on Mac OS X 10.5.8, and, after upgrading to Snow Leopard, he still had version 2.6.2 installed, not the Snow Leopard default version 2.6.1.

Update 1: Correction, ends up I was right in the first place. Lundell’s personally updated version of Python 2.6.2 was, and remains, in /usr/local/bin/. The system version of Python (version 2.6.1) is right where it should be in /usr/bin/. The confusion arose because he checked the version by typing just “python -V”, rather than specifying the full path to /usr/bin/python at the command prompt.

(As for why the Mac OS X Installer might be designed to overwrite components like Flash in this regard, consider the following hypothetical. What if the very latest version of Flash worked just fine on Leopard but did not work on Snow Leopard? That is apparently not the case, but, what if it were? (And don’t tell me it’s not possible.) In that case, if the OS installer worked as Ash and others desire, after upgrading to Snow Leopard you’d have a system where Flash did not work at all. Some people may reasonably argue that they’d prefer a broken version of Flash than a potentially vulnerable version, but the point of the components in the Essentials package is that Apple deems them, well, essential. The installer logic for these “essential” components may reasonably be that it’s going to install its own known versions no matter what’s already on the disk being upgraded. Why Flash is deemed essential is a good question, though.)

Which Vulnerabilities Apply to Flash Version 10.0.23.1?

Adobe Flash Player Snow Leopard

Lastly, I’ve been attempting to research exactly what the vulnerabilities are in Snow Leopard 10.6.0’s version of Flash, but have come up empty. There are three versions of Flash to keep in mind:

  • 10.0.32.18 — The current version of Flash 10 from Adobe.
  • 10.0.23.1 — The version that ships with Snow Leopard 10.6.0.
  • 10.0.22.87 — The version of Flash Adobe identifies as having “critical vulnerabilities”.1
Adobe Flash Player Snow Leopard

Adobe’s security bulletins and advisories page lists just four advisories for Flash Player 10. One dates back to February and is no longer relevant; the other three were from late July. One of the advisories from July is specific to Windows Internet Explorer. The other two apply to Windows, Mac OS X, and Linux.

Advisory APSA09-03, dated 22 July 2009, states:

A critical vulnerability exists in the current versions of FlashPlayer (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh, Linuxand Solaris operating systems, and the authplay.dll component thatships with Adobe Reader and Acrobat v9.x for Windows, Macintosh andUNIX operating systems. This vulnerability (CVE-2009-1862) couldcause a crash and potentially allow an attacker to take control ofthe affected system. There are reports that this vulnerability isbeing actively exploited in the wild via limited, targeted attacksagainst Adobe Reader v9 on Windows. […]

Advisory APSB09-10, dated 30 July 2009, states:

Critical vulnerabilities have been identified in the currentversions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) forWindows, Macintosh, Linux and Solaris operating systems, and theauthplay.dll component that ships with Adobe Reader and Acrobat v9.xfor Windows, Macintosh and UNIX operating systems. Thesevulnerabilities could cause the application to crash and couldpotentially allow an attacker to take control of the affectedsystem.

Adobe recommends users of Adobe Flash Player 9.x and 10.x andearlier versions update to Adobe Flash Player 9.0.246.0 and10.0.32.18.

In both advisories, the “affected software versions” are listed as “Adobe Flash Player 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions”. So both of these bulletins mention version 10.0.22.87 as being vulnerable and recommend updating to version 10.0.32.18. But neither mention version 10.0.23.1 at all.

Is version 10.0.23.1 susceptible to the same “critical vulnerabilities” as version 10.0.22.87? I can’t find any version information about Flash 10.0.23.1 whatsoever. It could be that 10.0.23.1 has all, some, or none of the vulnerabilities in version 10.0.22.87. I do not know.

The only mention from Adobe regarding Snow Leopard’s version of Flash is this post on the Adobe Flash Platform Blog by Tom Barclay, which reads in its entirety:

The initial release of Mac OS X 10.6 (Snow Leopard) includes anearlier version of Adobe Flash Player than what is available fromAdobe.com. We recommend all users update to the latest, most secureversion of Flash Player (10.0.32.18) — which supports Snow Leopardand is available for download fromhttp://www.adobe.com/go/getflashplayer.

Snow

So, yes, Adobe clearly recommends upgrading to 10.0.32.18, but doesn’t mention any specific problems with 10.0.23.1.

Update 2: Via Twitter, Dj Walker-Morgan reports that version 10.0.23.1 is the same version of Flash from the June WWDC seed of Snow Leopard, so it almost certainly doesn’t contain the fixes for the issues Adobe publicized in July.

  1. 10.0.22.87 is, in fact, still the standard version of Flash in Mac OS X 10.5.8. ↩︎

Previous:Regarding the Brouhaha Over the Version of Flash in Snow Leopard
Next:Regarding WordPress and Security

Adobe Flash Player Snow Leopard Download

  1. Download the Adobe Flash Player uninstaller:

    • Mac OS X, version 10.6 and later: uninstall_flash_player_osx.dmg
    • Mac OS X, version 10.4 and 10.5: uninstall_flash_player_osx.dmg

    The uninstaller is downloaded to the Downloads folder of your browser by default.

  2. In Safari, choose Window > Downloads.

    If you are using Mac OS X 10.7 (Lion), click the Downloads icon displayed on the browser.

  3. To open the uninstaller, double-click it in the Downloads window.

    Note: If the Flash Player installer window does not appear, choose Go > Desktop in the Finder. Scroll down to the Devices section and click Uninstall Flash Player.

  4. To run the uninstaller, double-click the Uninstaller icon in the window. If you see a message asking if you want to open the uninstaller file, click Open.

  5. Bookmark or print this page so that you can use the rest of these instructions after you close your browser.
  6. To close all browsers, either click the browser name in the Uninstaller dialog, or close each browser manually and then click Retry.

    Note: Do not click Quit in the Uninstaller window. It stops the uninstallation process.

  7. After you close the browsers, the uninstaller continues automatically until the uninstallation is complete. When you see the message notifying you that the uninstallation succeeded, click Done.

  8. Delete the following directories:

    • <home directory>/Library/Preferences/Macromedia/Flash Player
    • <home directory>/Library/Caches/Adobe/Flash Player

Comments are closed.