I gots my magic underpants

John Gruber, as well as a good friend, have challenged my claim that 10.0.23.1 is known to be vulnerable. It's true, I don't have definitive evidence of this claim. (If someone would give me a valid Secunia login, or buy me a copy of Immunity Canvas or Core Impact, I could clear things up a lot faster.)

But we can infer quite a bit from a timeline of known events:

• August 25, 2008 -- Adobe is notified of the bug known as CVE-2009-1864, which will eventually be patched in 10.0.32.18.
• February 24, 2009 -- Flash Player 10.0.22.87 released.
• April 9, 2009 -- Adobe is notified of the bug known as CVE-2009-1868, which will eventually be patched in 10.0.32.18.
• May 4, 2009 -- The special Snow Leopard build of Flash Player 10.0.23.1 is built. (Source: creation date of the plugin on 10.6.0)
• May 11, 2009 -- Adobe tells the discoverer of CVE-2009-1864 that they expect the bug to be fixed in an August release.
• May 22, 2009 -- Flash Player 10.0.23.1 is codesigned. (Source: creation date of the code signature)
• July 22, 2009 -- Adobe released an "oh shit the sky is falling" advisory that says that a bug by the name of CVE-2009-1862 is being exploited in-the-wild on Windows.
• July 23, 2009 -- Adobe locks down information about this bug in their bug tracker. Apparently Adobe knew about this bug before, but didn't classify it as a security bug until it was a security disaster out in-the-wild.
• July 30, 2009 -- Adobe releases an out-of-band patch for Flash Player due to the severity of the 0-day threat. This patch, 10.0.32.18, also resolves 8 other multi-platform vulnerabilities, and three Windows-specific vulnerabilities.
• July 31, 2009 -- Apple builds Darwin 10.0.0, the kernel inside Mac OS X Snow Leopard 10.6.0, internal version number 10A432. (Source: uname -a)
• Early August 2009 -- Apple designates 10A432 the "golden master" version that will ship on the retail discs.
• August 12, 2009 -- Apple starts seeding 10A432 to developers.
• August 28, 2009 -- Snow Leopard is available to the general public.

If you read that timeline and immediately conclude, "10.0.23.1 is clearly as secure as 10.0.32.18", then my response is:

Put your Spongebob Squarepants underroos on and go back to bed, and don't worry, because nothing in the big bad world is going to harm you.

The more mature way to read this is "Apple screwed up".

Don't call it a comeback

John Gruber's latest piece of Apple apologetics concerns the fact that Apple shipped a known-vulnerable version of Adobe Flash Player on the Snow Leopard DVD. He has the gall to ask those of us who consider this a bad thing,

But what exactly should Apple have done differently?

Gruber apparently considers the possibility of postponing the release of Snow Leopard in order to coordinate with Adobe to be unreasonable. If postponing Snow Leopard is out-of-bounds, then I have another suggestion:

Apple could have posted a security advisory.

This is not unprecedented, of course. Companies routinely issue recalls and then post press releases so that the public is properly informed of the risk to which they've been subjected. Banquet alerts customers when they ship tainted pot pies, Starbucks alerts customers when they ship dangerous coffee bean grinders... hell, Microsoft even posts advisories when their customers are vulnerable to 0-day attacks for which no patch is available.

If you compare Apple's product security page to Microsoft's, you quickly see how important Microsoft considers informing its customers. (Yes, I realize that they've come a long way, but they deserve a bunch of credit.) Microsoft gives customers advance notice that security patches are coming, gives a reasonable amount of detail about what gets patched in each update, and as noted before, does their best to alert customers of appropriate mitigation steps when they know about critical problems that haven't been fixed yet. Apple's product security page is a joke in comparison. This is one of many instances where Apple's inclination towards utter secrecy seriously harms their customers.

(For another oranges-to-oranges comparison, consider the response of both companies to the Kaminsky DNS vulnerability. Microsoft worked with Kaminsky and other vendors, and released a patch and advisory within three months. Apple didn't get around to fixing the issue until two months after the Microsoft patch.)

Here's an example of the advisory Apple could have published prior to the release of Snow Leopard:

Apple has recently become aware of several vulnerabilities in the Adobe Flash Player browser plugin, which ships with Mac OS X Snow Leopard. Adobe has released version 10.0.32.18 of the Flash Player to address these vulnerabilities. Unfortunately, this release came too late to be integrated into the shipping version of Mac OS X Snow Leopard. If you install Mac OS X Snow Leopard onto your existing Mac OS X volume, your system will contain the vulnerable plugin even if you previously installed the appropriate patch.

At the time of writing, Apple had no knowledge of any existing exploits for the vulnerabilities patched in Flash Player 10.0.32.18. However, given the prevalence of automated analysis tools, it is not beyond the realm of imagination that such exploits could exist. Depending on your (or your organization's) tolerance for risk, you may find it necessary to mitigate this issue. Several options exist, including:

• Turning off web plugins in your browser, until Apple tests and releases a patch for the vulnerable plugin
• Downloading and installing Flash Player 10.0.32.18 from Adobe.com

Apple is currently in the process of testing Flash Player 10.0.32.18. It will be available via Software Update once Apple feels it meets our standard of quality for software patches.

You can keep track of the latest developments by reading http://www.apple.com/support/security.

As Gruber acknowledges, "Flash, whether we like it or not, is part of the system". What Gruber fails to acknowledge is that when Apple adds a piece to the system, it accepts the responsibility of keeping customers safe from any vulnerabilities in that new piece. If Apple expects to be taken seriously as a vendor of secure software, it needs to grow up and communicate with its customers.