Snow Leopard downgrades security and misses opportunity to improve

Filed Under: Adobe Flash, Apple, OS X, Vulnerability

Snow Leopard sleeping

After the better part of a week it seems we are still finding warts in Apple's newest operating system release, Mac OS X Snow Leopard.

Graham Cluley made a video this morning about his discovery that Adobe Flash player can be downgraded silently when upgrading from Leopard to Snow Leopard.

This is an unfortunate oversight on Apple's behalf as it could put OS X users at risk, and it is quite easy to check the version of an application before replacing it. It appears the version of Flash player included is from approximately the end of calendar Q1 this year, which is likely when Apple needed to enter a code freeze.

On my own MacBook Pro I noticed another peculiarity last Friday, but thought I might have imagined it... Fortunately my colleague Sean Richmond in our Australian office confirmed my suspicions this afternoon when he upgraded his MacBook. My screensaver password lock was disabled after upgrading. Another change to my security settings without notification or permission? Some changes are necessary and difficult to migrate, but PLEASE tell me about things that affect my safety when using my computer.

There was a lot of speculation earlier this year that Apple would improve its Address Space Layout Randomization (ASLR). According to The Register's Dan Goodin, the weakness in Apple's partial implementation of ASLR was not improved to provide complete randomization. Microsoft faced similar criticism with Vista, but has responded to the community with Internet Explorer 8 including support for ASLR.

The last missed opportunity is that Data Execution Prevention (DEP) still does not protect Safari. It could be argued that this is the most critical application to support DEP, as most attacks today occur over the web. To some degree Apple has acknowledged this with their new anti-malware protection that mostly applies to internet-enabled applications.

It's not all bad. You can no longer download OSX/RSPlug due to the anti-malware checks. Safari now launches plugins as a separate process and some targeted components now run in a sandbox environment.

If you are upgrading your Macs to Snow Leopard be sure to check the following before considering the task complete:

  1. If you are using Sophos Anti-Virus for Mac ensure you have updated to version 7.0.5 or newer.
  2. After installation go to Adobe's website and get the latest Flash player.
  3. Check your screensaver preferences in the System Preferences tool. Re-enable any password protection and adjust the settings to their intended values.

Update September 3, 2009 Adobe recommends updating Flash player that shipped with OS X 10.6 (Snow Leopard)

Creative Commons image courtesy of flickr photostream by dpape

, , ,

You might like

One Response to Snow Leopard downgrades security and misses opportunity to improve

  1. That's weird! If I were Apple, I would either a. ship with the latest version as of production (maybe that was the latest version as of Snow lepard's release :? ) or don't ship any flash software.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.