Apple’s Users at High Risk After Snow Leopard Ships With Vulnerable Flash

Increasingly, it is exploits of application vulnerabilities that are used to gain access to and control of modern operating systems, not attacks on the OS itself.  With Apple relenting and allowing more third party software on its computers in a bid to appeal to a broader consumer market, it’s finding it hard to maintain the image of security that its ads claim, when its applications frequently develop exploitable vulnerabilities.

It was discovered this week that Apple’s new operating system, OS X 10.6 “Snow Leopard” shipped with an outdated, vulnerable version of Flash —  An upgrade to Snow Leopard downgrades the Flash from the current version ( without prompting the user, according to security firm Sophos.

In doing so, the new OS puts customers at risk, as the older version of Flash had several widely known vulnerabilities.  Adobe is a popular target for hackers, with Flash, Acrobat and Reader (used for PDF — Portable Document Format — files), all being frequently used to attack systems.

In July alone, Adobe was forced to issue 12 updates for its Flash player — updates that were included in the latest version of the player, but not in the version Snow Leopard shipped with.  Ten of those vulnerabilities could be used to execute arbitrary code on the machine.

By default Adobe’s flash player only updates once every 30 days.  That gives hackers a wonderful window to attack new Macs and Macs upgrading to the new OS over the next month, unless Apple or its users act. 

Adobe’s update settings are not configurable on the physical machine, but savvy users can safeguard themselves by going to the “Settings Manager” page on Adobe’s website, and setting their updates to seven day intervals (7, 14, 30 (default), and 60 day intervals are available).  More importantly, they should upgrade immediately to the latest version of Flash.

Apple would not respond for comment about the development.  The revelation of the vulnerability came as Apple shipped with its first ever free malware detection software, capable of detecting two common Apple malware programs — “RSPlug.a” and “Iservice”.  Apple’s press releases also bragged of several other security improvements in Snow Leopard.  Nonetheless, security firms remain skeptical and these efforts, saying the OS still has many security flaws.