Snow Leopard downgrades security and misses opportunity to improve

Snow Leopard sleeping

After the better part of a week it seems we are still finding warts in Apple’s newest operating system release, Mac OS X Snow Leopard.

Graham Cluley made a video this morning about his discovery that Adobe Flash player can be downgraded silently when upgrading from Leopard to Snow Leopard.

This is an unfortunate oversight on Apple’s behalf as it could put OS X users at risk, and it is quite easy to check the version of an application before replacing it. It appears the version of Flash player included is from approximately the end of calendar Q1 this year, which is likely when Apple needed to enter a code freeze.

On my own MacBook Pro I noticed another peculiarity last Friday, but thought I might have imagined it… Fortunately my colleague Sean Richmond in our Australian office confirmed my suspicions this afternoon when he upgraded his MacBook. My screensaver password lock was disabled after upgrading. Another change to my security settings without notification or permission? Some changes are necessary and difficult to migrate, but PLEASE tell me about things that affect my safety when using my computer.

There was a lot of speculation earlier this year that Apple would improve its Address Space Layout Randomization (ASLR). According to The Register’s Dan Goodin, the weakness in Apple’s partial implementation of ASLR was not improved to provide complete randomization. Microsoft faced similar criticism with Vista, but has responded to the community with Internet Explorer 8 including support for ASLR.

The last missed opportunity is that Data Execution Prevention (DEP) still does not protect Safari. It could be argued that this is the most critical application to support DEP, as most attacks today occur over the web. To some degree Apple has acknowledged this with their new anti-malware protection that mostly applies to internet-enabled applications.

It’s not all bad. You can no longer download OSX/RSPlug due to the anti-malware checks. Safari now launches plugins as a separate process and some targeted components now run in a sandbox environment.

If you are upgrading your Macs to Snow Leopard be sure to check the following before considering the task complete:

  1. If you are using Sophos Anti-Virus for Mac ensure you have updated to version 7.0.5 or newer.
  2. After installation go to Adobe’s website and get the latest Flash player.
  3. Check your screensaver preferences in the System Preferences tool. Re-enable any password protection and adjust the settings to their intended values.

Update September 3, 2009 Adobe recommends updating Flash player that shipped with OS X 10.6 (Snow Leopard)

Creative Commons image courtesy of flickr photostream by dpape