Don't call it a comeback

John Gruber's latest piece of Apple apologetics concerns the fact that Apple shipped a known-vulnerable version of Adobe Flash Player on the Snow Leopard DVD. He has the gall to ask those of us who consider this a bad thing,

But what exactly should Apple have done differently?

Gruber apparently considers the possibility of postponing the release of Snow Leopard in order to coordinate with Adobe to be unreasonable. If postponing Snow Leopard is out-of-bounds, then I have another suggestion:

Apple could have posted a security advisory.

This is not unprecedented, of course. Companies routinely issue recalls and then post press releases so that the public is properly informed of the risk to which they've been subjected. Banquet alerts customers when they ship tainted pot pies, Starbucks alerts customers when they ship dangerous coffee bean grinders... hell, Microsoft even posts advisories when their customers are vulnerable to 0-day attacks for which no patch is available.

If you compare Apple's product security page to Microsoft's, you quickly see how important Microsoft considers informing its customers. (Yes, I realize that they've come a long way, but they deserve a bunch of credit.) Microsoft gives customers advance notice that security patches are coming, gives a reasonable amount of detail about what gets patched in each update, and as noted before, does their best to alert customers of appropriate mitigation steps when they know about critical problems that haven't been fixed yet. Apple's product security page is a joke in comparison. This is one of many instances where Apple's inclination towards utter secrecy seriously harms their customers.

(For another oranges-to-oranges comparison, consider the response of both companies to the Kaminsky DNS vulnerability. Microsoft worked with Kaminsky and other vendors, and released a patch and advisory within three months. Apple didn't get around to fixing the issue until two months after the Microsoft patch.)

Here's an example of the advisory Apple could have published prior to the release of Snow Leopard:

Apple has recently become aware of several vulnerabilities in the Adobe Flash Player browser plugin, which ships with Mac OS X Snow Leopard. Adobe has released version 10.0.32.18 of the Flash Player to address these vulnerabilities. Unfortunately, this release came too late to be integrated into the shipping version of Mac OS X Snow Leopard. If you install Mac OS X Snow Leopard onto your existing Mac OS X volume, your system will contain the vulnerable plugin even if you previously installed the appropriate patch.

At the time of writing, Apple had no knowledge of any existing exploits for the vulnerabilities patched in Flash Player 10.0.32.18. However, given the prevalence of automated analysis tools, it is not beyond the realm of imagination that such exploits could exist. Depending on your (or your organization's) tolerance for risk, you may find it necessary to mitigate this issue. Several options exist, including:

• Turning off web plugins in your browser, until Apple tests and releases a patch for the vulnerable plugin
• Downloading and installing Flash Player 10.0.32.18 from Adobe.com

Apple is currently in the process of testing Flash Player 10.0.32.18. It will be available via Software Update once Apple feels it meets our standard of quality for software patches.

You can keep track of the latest developments by reading http://www.apple.com/support/security.

As Gruber acknowledges, "Flash, whether we like it or not, is part of the system". What Gruber fails to acknowledge is that when Apple adds a piece to the system, it accepts the responsibility of keeping customers safe from any vulnerabilities in that new piece. If Apple expects to be taken seriously as a vendor of secure software, it needs to grow up and communicate with its customers.