Apple bans outdated Adobe Flash plugins from Safari


Last week, Apple showed that it is getting more serious about security by turning all strict about the version of Flash you’re allowed to use in Safari.

OS X users received an automatic update via Apple’s basic threat protection system, Xprotect, to lock old Flash player plugins out of your browser. If your browser is Safari, of course.

The idea is simple, and a good one.

Once Apple thinks you’ve had enough time to get around to updating Flash (two days in the case of the most recent update), it issues a new Xprotect signature that pretty much forces your hand.

Presumably (and we don’t know, because this is the first time Apple has done this for Flash, though it did something similar for Java back in January 2013), the amount of time you get before Apple drops the hammer will vary depending on the apparent risk.

The most recent update was an emergency fix for an in-the-wild exploit that was being used against both Windows and Mac users.

Two days to patch an at-risk computer that you use for browsing is brisk, but nevertheless seems pretty reasonable to me.

According to Apple’s notification, the Xprotect update turned up on 28 Feb 2013, and produces a warning like this inside the window that Flash is trying to use:

Clicking on it takes you to an OS X supplied dialog that explains more:

From here, of course, at least as things stand today), there’s not much that Apple and OS X can do except to shovel you into Adobe’s update process, so, as Apple explains, the dialog doesn’t achieve much more than taking you to Adobe’s Flash Player installer website.

You have to complete the necessary process yourself:

As I’ve mentioned previously, Adobe’s update process is straightforward, but mildly intrusive, as it requires you to shut down many applications, including the browser from which you got to Adobe’s download page in the first place.

If you back off at this point so you can come back later when it’s more convenient, Adobe will will re-download the whole installer, which is a further annoyance for those on the road, who may be paying over the odds for bandwidth.

But it works, and it’s worth doing: Flash, like Java, is a popular, multi-platform attack vector for the Bad Guys, with three updates in February 2013 alone (on the seventh, the twelfth and the 26th of the month).

Don’t forget that you can check whether you have Flash active in your browser, and, if so, what version you are using by visiting Adobe’s Flash/About page.

This also handily shows you what versions are current on which platforms:

Solaris users will be surely be happy to note they’re still on the list, albeit a couple of point releases behind.