更多关于Snow Leopard /旧版Flash Brouhaha

东部时间晚上9:30:查看更新,在下面内联。)

Jeffrey Czerniak回答我的“Apple应该做些什么?”问题:

John Gruber’s latest piece of Apple apologetics concerns the fact that Apple shipped a known-vulnerable version of Adobe Flash Player on the Snow Leopard DVDHe has the gall to ask those of us who consider this a bad thing,

但苹果究竟应该做些什么呢?

Gruber apparently considers the possibility of postponing the release of Snow Leopard in order to coordinate with Adobe to be unreasonableIf postponing Snow Leopard is out-of-bounds, then I have another suggestion:

Apple本可以发布安全公告。

Is it possible in the run-up to going GM that a serious issue could be discovered that would warrant postponing the release of a major OS update? Sure这正是为什么通用汽车的发布不会匆忙Is this Flash situation such an issue? I believe not — and have seen no evidence that it is.

至于Apple发布安全顾问,当然那太好了但这不是苹果推出的方式Apple的安全问题政策是在软件更新解决之前不要公开它们完全不同意这一政策并不是不合理的,但我认为苹果公司对它到目前为止对它们的影响非常满意,所以不要屏住呼吸等待它改变。

如果你已经安装了最新版本的Flash,为什么Snow Leopard安装程序没有做正确的事情?

Mike Ash - 在Twitter上这里这里这里, 等等- 认为问题特别是安装程序降级Flash版本的问题,以便用户在10.5时手动升级到最新版本的Flash(考虑到Twitter的限制,请原谅他的简洁。)

我不同意Apple应该在Snow Leopard安装程序中包含一个8天的Flash版本,或者他们应该推迟Snow Leopard的发布以包含它我确实对安装员这样的论点表示同情,比如Ash's应该不更换较旧版本的较旧版本。

并且有一个好的 - 但是,唉,在我的研究中,没有答案 - 技术问题为什么这实际上不像Ash和其他人预期的那样起作用Mac OS X安装程序系统依赖于“物料清单”BOM档来自bom手册页

The Mac OS X Installer uses a file system “bill of materials” to determine which files to install, remove, or upgradeA bill of materials, bom, contains all the files within a directory, along with some information about each fileFile information includes: the file’s UNIX permissions, its owner and group, its size, its time of last modification, and so onAlso included are a checksum of each file and information about hard links.

The bill of materials for installed packages are found within the package receipts located in /Library/Receipts.

理论上,Snow Leopard安装程序可以查看Flash的bom,如果安装的版本大于安装程序中的版本,请保留它我不知道为什么它不能这样工作也许Adobe的Flash安装程序留下的bom文件格式不正确也许(这是我的猜测)主要操作系统版本的安装程序不检查“Essentials”和“BaseSystem”安装程序包中的组件的这些内容(Flash,以及中的所有其他默认项目/ Library / Internet Plug-Ins /文件夹,是Essentials包的一部分。)

昨天,作为一个假设的例子,我写

这就是安装程序的工作原理The same is true for any component you manually upgradeLike, say, if you overwrote the system version of Python with version 2.6.2 — when you upgrade to Snow Leopard, the installer will give you the system standard version (2.6.1).

结束我选择了一个不好的例子,因为这不是真的DF reader Jonathan Lundell emailed me to report that he had in fact upgraded his system version of Python to version 2.6.2 while on Mac OS X 10.5.8, and, after upgrading to Snow Leopard, he still had version 2.6.2 installed, not the Snow Leopard default version 2.6.1.

更新1:更正,最终我是对的Lundell的个人更新版本的Python 2.6.2过去了,现在仍然存在在/ usr / local / bin目录/Python的系统版本(版本2.6.1)正好应该放在哪里在/ usr / bin中/之所以产生混淆,是因为他只是输入“检查版本”python -V“而不是指定完整路径在/ usr / bin中/蟒蛇在命令提示符下。

(As for why the Mac OS X Installer might be designed to overwrite components like Flash in this regard, consider the following hypotheticalWhat if the very latest version of Flash worked just fine on Leopard but did not work on Snow Leopard? That is apparently not the case, but, what if it were? (And don’t tell me it’s not possible.) In that case, if the OS installer worked as Ash and others desire, after upgrading to Snow Leopard you’d have a system where Flash did not work at all有些人可能会合理地争辩说他们更喜欢破坏版本的Flash而不是潜在的易受攻击的版本,但Essentials包中的组件的重点是Apple认为它们,嗯,必要这些“基本”组件的安装程序逻辑可能合理地说,无论已升级的磁盘上是什么,它都将安装自己的已知版本然而,为什么Flash被视为必不可少是一个很好的问题。)

哪些漏洞适用于Flash版本10.0.23.1?

最后,我一直试图准确研究Snow Leopard 10.6.0的Flash版本中的漏洞,但是已经空了要记住三种版本的Flash:

  • 10.0.32.18 - Adob​​e的当前版本的Flash 10。
  • 10.0.23.1 - Snow Leopard 10.6.0附带的版本。
  • 10.0.22.87 - Flash的版本标识为具有“关键漏洞”。1

Adobe的安全公告和咨询页面列出了Flash Player 10的四个建议One dates back to February and is no longer relevant; the other three were from late July7月份的建议之一特定于Windows Internet Explorer另外两个适用于Windows,Mac OS X和Linux。

咨询APSA09-03,2009年7月22日,声明:

A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systemsThis vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected systemThere are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows[...]

咨询APSB09-10,2009年7月30日,声明:

Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systemsThese vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18.

在这两个建议中,“受影响的软件版本”被列为“Adobe Flash Player 9.0.159.0和10.0.22.87以及之前的9.x和10.x版本”因此,这两个公告都提到版本10.0.22.87易受攻击,建议更新到版本10.0.32.18但是根本没有提到版本10.0.23.1。

Is version 10.0.23.1 susceptible to the same “critical vulnerabilities” as version 10.0.22.87? I can’t find any version information about Flash 10.0.23.1 whatsoever可能10.0.23.1版本10.0.22.87中存在全部,部分或全部漏洞我不知道。

关于Snow Leopard版本Flash的Adobe唯一提到的是Tom Barclay在Adobe Flash平台博客上的这篇文章,该文章全文内容如下:

The initial release of Mac OS X 10.6 (Snow Leopard) includes an earlier version of Adobe Flash Player than what is available from Adobe.comWe recommend all users update to the latest, most secure version of Flash Player (10.0.32.18) — which supports Snow Leopard and is available for download from http://www.adobe.com/go/getflashplayer.

所以,是的,Adobe明确建议升级到10.0.32.18,但没有提到10.0.23.1的任何特定问题。

更新2:通过Twitter,Dj Walker-Morgan报道版本10.0.23.1与Snow Leopard的6月WWDC种子的Flash版本相同,因此它几乎肯定不包含Adobe在7月份公布的问题的修复程序。


  1. 10.0.22.87 is, in fact, still the standard version of Flash in Mac OS X 10.5.8. ↩︎