Apple ships a known vulnerable version of Flash with Snow Leopard

Filed Under: Adobe, Adobe Flash, Apple, OS X, Video, Vulnerability

The last thing you expect when you upgrade your operating system, is that you will have some of your security silently downgraded.

But that's precisely what seems to have happened with Mac OS X Snow Leopard, which ignores that you have been keeping Adobe Flash up-to-date and downgrades it to an earlier version, as the following YouTube video shows:

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

So, lets explain what's going on here. Imagine you have a Mac. Imagine you have been really diligent about keeping your copy of Adobe Flash up-to-date (Adobe is commonly targeted by the bad guys, and so Adobe has been releasing regular security updates for Flash and PDF Reader)

Now, imagine (like me) you got your copy of Snow Leopard on Friday, and have now updated your computers.

Unfortunately during the course of that update (and unknown to you) Apple downgraded your installation of Flash to an earlier version (version 10.0.23.1), which is known not to be secure and is not patched against various security vulnerabilities.

The version you should be running is the latest version of Flash Player for Mac - 10.0.32.18.

Mac users are not informed that Snow Leopard has downgraded their version of Flash without permission, and that they are now exposed to a raft of potential attacks and exploits which have been targeted on Adobe's software in recent months.

I urge all Mac users who have upgraded to Snow Leopard to double-check that their version of Adobe Flash is current and - if not - update it immediately from http://get.adobe.com/flashplayer/

This should be done as a matter of priority. Adobe is the "new Microsoft" when it comes to security vulnerabilities, with hackers targeting their software looking for vulnerabilities to exploit. This has lead the company to follow Microsoft's example by releasing regular security updates.

Mac users who have been diligent enough to keep their security up-to-date do not deserve to be silently downgraded. We know that hackers keep finding security holes in Adobe's code - and that's deeply concerning because it is so widely used by many internet users, whether on Mac or PC.

It's vital, therefore, that users ensure they are running the latest version - and that, in the future, operating system manufacturers do not reduce their customers' level of security without warning.

If you're not sure which version of Adobe Flash you have on your computer (whatever operating system you use), take 30 seconds to visit their website. Adobe will not only tell you what version of Flash you are running, they will also tell you what version you should be running.

Update: Chet has blogged about other security oddities he's seen when upgrading from Leopard to Snow Leopard, and claims that Apple has missed an opportunity to improve.

, , ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.