As high profile hacks of Apple products have surfaced again and again in recent years, Apple has been taken to task for what some say is an incompetent approach to software security. But the company's latest software slip-up seems to show something more than security incompetency: security apathy.
On Thursday, security researchers at Sophos revealed that Apple's ( AAPL - news - people ) new operating system, Snow Leopard, integrates an older version of Adobe ( ADBE - news - people ) Flash player that includes a known vulnerability that can allow attackers to install malicious software on the user's machine. Though the flaw had been patched in more recent versions of Adobe's software, installing Snow Leopard would actually expose users to the older vulnerability regardless of whether they'd previously patched the flaw.
"Mac users who have been diligent enough to keep their security up-to-date do not deserve to be silently downgraded," chastised Sophos researcher Graham Cluley in his blog, pointing to the many recent attacks targeting the Adobe's flaws Apple left unpatched. "It's vital … that operating system manufacturers do not reduce their customers' level of security without warning."
The faux-pas is far from the first time Apple--which didn't respond to a request for comment--has demonstrated a sloppy approach to patching. Last May, security researchers revealed that Apple had integrated an unpatched version of Java into its Mac OSX. Despite being patched by Java maker Sun Microsystems ( JAVA - news - people ) six months earlier, the version used in Apple's software included a bug that would allow an attacker to take control of a user's browser regardless of their operating system, according to IT security researcher and blogger Julien Tinnes. Even after receiving widespread media attention, Apple took nearly a month to fix the vulnerability.
Before this Adobe mishap, Apple's most recent security flap surrounded a flaw in its iPhone text messaging software. That bug, according to security researcher and perennial Mac-hacker Charlie Miller, would have allowed a cybercriminal to take control of a phone with a string of text messages and use it to propagate more infectious texts, potentially spreading the attack virally. Although Apple took more than a month to patch the flaw after Miller disclosed it, the company issued a patch just a day after Miller presented the flaw at the hacker conference Black Hat in July.
But Miller points to a more egregious example of Apple security insouciance in his exploit of a Macbook Air in the Pwn-to-Own security contest in March of last year. Miller used a flaw in Safari to take control of a Macbook Air in under two minutes. He later discovered that the bug he'd used, a vulnerability in a piece of open-source text-search code known as PCRE, had been patched long before--but never updated in Safari. "It'd be one thing if they had an undiscovered bug hidden deep in their code that they didn't know about," says Miller. "But this sort of stuff is just managing open source software in your product, keeping it up to date. It doesn't take a security expert to do it, and it's kind of disappointing that Apple doesn't."
Apple, of course, hasn't faced the real-world security threats that other platforms have dealt with. In fact, even as the company has gained market share, its PCs are still used by a small enough segment of users that the number of malware samples targeting Apple software has remained small and even shrunk, according to data from cybersecurity firm F-Secure late last year.
But that scarcity of attacks may have Apple into a false sense of complacency, given that any determined hacker could use the publicly known flaws to launch identity theft attempts. The fact that those attacks happen only rarely, says Miller, is little comfort to vulnerable users. "When I'm using my Mac laptop with Snow Leopard at the airport," he says. "It definitely doesn't make me feel any more confident."