Apple bans outdated Adobe Flash plugins from Safari

Filed Under: Adobe, Adobe Flash, Apple, Featured, Vulnerability

Last week, Apple showed that it is getting more serious about security by turning all strict about the version of Flash you're allowed to use in Safari.

OS X users received an automatic update via Apple's basic threat protection system, Xprotect, to lock old Flash player plugins out of your browser. If your browser is Safari, of course.

The idea is simple, and a good one.

Once Apple thinks you've had enough time to get around to updating Flash (two days in the case of the most recent update), it issues a new Xprotect signature that pretty much forces your hand.

Presumably (and we don't know, because this is the first time Apple has done this for Flash, though it did something similar for Java back in January 2013), the amount of time you get before Apple drops the hammer will vary depending on the apparent risk.

The most recent update was an emergency fix for an in-the-wild exploit that was being used against both Windows and Mac users.

Two days to patch an at-risk computer that you use for browsing is brisk, but nevertheless seems pretty reasonable to me.

According to Apple's notification, the Xprotect update turned up on 28 Feb 2013, and produces a warning like this inside the window that Flash is trying to use:

Clicking on it takes you to an OS X supplied dialog that explains more:

From here, of course, at least as things stand today), there's not much that Apple and OS X can do except to shovel you into Adobe's update process, so, as Apple explains, the dialog doesn't achieve much more than taking you to Adobe's Flash Player installer website.

You have to complete the necessary process yourself:

As I've mentioned previously, Adobe's update process is straightforward, but mildly intrusive, as it requires you to shut down many applications, including the browser from which you got to Adobe's download page in the first place.

If you back off at this point so you can come back later when it's more convenient, Adobe will will re-download the whole installer, which is a further annoyance for those on the road, who may be paying over the odds for bandwidth.

But it works, and it's worth doing: Flash, like Java, is a popular, multi-platform attack vector for the Bad Guys, with three updates in February 2013 alone (on the seventh, the twelfth and the 26th of the month).

Don't forget that you can check whether you have Flash active in your browser, and, if so, what version you are using by visiting Adobe's Flash/About page.

This also handily shows you what versions are current on which platforms:

Solaris users will be surely be happy to note they're still on the list, albeit a couple of point releases behind.

, , , , , ,

You might like

5 Responses to Apple bans outdated Adobe Flash plugins from Safari

  1. gmd · 948 days ago

    As flash is not available through the app store you have to go through all the rigmarole of uthorising downloads from the internet that apple has implemented security features against:-( Given this is how flash has to be updated there is a lot of room here for malicious and false adobe flash updates, as most users just click mindlessly through the update flash player messages when confronted with them:-(

    • JimboC_Security · 948 days ago

      Hi gmd,

      I think you are right; there is room for false/malicious update windows in this update process. We can only hope that people exercise caution and only update via the trusted method (mentioned by Paul above) and choose No when an update message pops up out of no-where. Monitoring the Adobe PSIRT blog (and of course this Sophos blog) is how I know when a real Flash update is available:

      This is useful since if you are receiving an update message and Adobe hasn’t issued an update, you know it has to be false.

      I am just curious if the auto-updater for the Mac OS X version of Flash has been well received? For those on non-metered connections, do you find it works well for you? I am asking since such an auto-updater should eliminate the possibility of fake updates (please correct me if I am wrong).

      I applaud Apple for doing this since the last 3 Flash updates (2 of which were emergency, out of cycle updates) have fixed many critical flaws and using an out-dated version is a serious risk.

      Thank you.

  2. Anonymous · 948 days ago

    My interpretation is that Solaris is no longer being updated to patch security flaws (see the Linux description versus Solaris). I suspect, though, that very few Solaris users are still using their Solaris systems to access general sites on the greater Internet.

  3. 4caster · 948 days ago

    A thoroughly bad move. I prefer to download software updates at a time of my own choosing, not to be forced into it immediately upon start-up. My computer is no more vulnerable this morning than it was last night.
    When I switch it on, intending to make an urgent financial transaction before a deadline expires five minutes later, I do not expect Apple to have disabled the software I need.
    Fortunately I can use Firefox or Chrome as an alternative, but that means keeping bookmarks duplicated.

  4. jamie · 948 days ago

    more places should do what apple does -- actually see people still running un patched versions of windows 98 --- yes that is right --- some people still use windows 98 and think they never have to bother updating or even get any kind of security and some people know that do at least get some security only get the little free anti virus thing that is nothing more than a fake but looks good --- some people have to be forced into common sense

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog