September 5, 2009

I gots my magic underpants

John Gruber, as well as a good friend, have challenged my claim that 10.0.23.1 is known to be vulnerable. It's true, I don't have definitive evidence of this claim. (If someone would give me a valid Secunia login, or buy me a copy of Immunity Canvas or Core Impact, I could clear things up a lot faster.)

But we can infer quite a bit from a timeline of known events:

  • August 25, 2008 -- Adobe is notified of the bug known as CVE-2009-1864, which will eventually be patched in 10.0.32.18.
  • February 24, 2009 -- Flash Player 10.0.22.87 released.
  • April 9, 2009 -- Adobe is notified of the bug known as CVE-2009-1868, which will eventually be patched in 10.0.32.18.
  • May 4, 2009 -- The special Snow Leopard build of Flash Player 10.0.23.1 is built. (Source: creation date of the plugin on 10.6.0)
  • May 11, 2009 -- Adobe tells the discoverer of CVE-2009-1864 that they expect the bug to be fixed in an August release.
  • May 22, 2009 -- Flash Player 10.0.23.1 is codesigned. (Source: creation date of the code signature)
  • July 22, 2009 -- Adobe released an "oh shit the sky is falling" advisory that says that a bug by the name of CVE-2009-1862 is being exploited in-the-wild on Windows.
  • July 23, 2009 -- Adobe locks down information about this bug in their bug tracker. Apparently Adobe knew about this bug before, but didn't classify it as a security bug until it was a security disaster out in-the-wild.
  • July 30, 2009 -- Adobe releases an out-of-band patch for Flash Player due to the severity of the 0-day threat. This patch, 10.0.32.18, also resolves 8 other multi-platform vulnerabilities, and three Windows-specific vulnerabilities.
  • July 31, 2009 -- Apple builds Darwin 10.0.0, the kernel inside Mac OS X Snow Leopard 10.6.0, internal version number 10A432. (Source: uname -a)
  • Early August 2009 -- Apple designates 10A432 the "golden master" version that will ship on the retail discs.
  • August 12, 2009 -- Apple starts seeding 10A432 to developers.
  • August 28, 2009 -- Snow Leopard is available to the general public.
If you read that timeline and immediately conclude, "10.0.23.1 is clearly as secure as 10.0.32.18", then my response is:
Put your Spongebob Squarepants underroos on and go back to bed, and don't worry, because nothing in the big bad world is going to harm you.

The more mature way to read this is "Apple screwed up".

Posted by Jeffrey at September 5, 2009 9:08 PM
What is a TrackBack? Learn more here.

TrackBack URL for this entry:


Listed below are links to the 0 weblogs that reference 'I gots my magic underpants' from Geekable.com.