Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in

[MacRumors]

As noted by Jim Dalrymple of The Loop, Apple today updated its malware definition file "Xprotect.plist" to block older versions of Adobe Flash Player in Safari. Versions of Flash that come before the latest 11.6.602.171 update will be automatically blacklisted.

Quote:

To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player

The ban comes after a security bulletin issued by Adobe earlier this week, covering three different vulnerabilities and recommending an update to the newest version of Flash.

In recent weeks, Apple has aggressively used its anti-malware tools to enforce minimum plug-in versions in light of security issues affecting the software. Recent blocks have included a previous Flash Player update enforcement in early February, and several blocks of Oracle's Java 7 Web plug-in earlier this year.

Article Link: Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in

[Yvan256]

The safest way is still to uncheck the "Enable plug-ins" and "Enable Java" options in Safari.

[tigres]

Quote:

Originally Posted by Yvan256

The safest way is still to uncheck the "Enable plug-ins" and "Enable Java" options in Safari.

uNless you actually need java, like some people- myself included.

[dwhittington]

Quote:

Originally Posted by tigres

uNless you actually need java, like some people- myself included.

Agreed. Same here.

[SirYossi]

Quote:

Originally Posted by MacRumors

Image


As noted by Jim Dalrymple of The Loop, Apple today updated its malware definition file "Xprotect.plist" to block older versions of Adobe Flash Player in Safari. Versions of Flash that come before the latest 11.6.602.171 update will be automatically blacklisted.

Image

The ban comes after a security bulletin issued by Adobe earlier this week, covering three different vulnerabilities and recommending an update to the newest version of Flash.

In recent weeks, Apple has aggressively used its anti-malware tools to enforce minimum plug-in versions in light of security issues affecting the software. Recent blocks have included a previous Flash Player update enforcement in early February, and several blocks of Oracle's Java 7 Web plug-in earlier this year.

Article Link: Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in

just wish flash would just go away ti is always crashing the web and is a damm memory hog.

[nagromme]

Flash I still need... sometimes. ClickToFlash Safari extension to the rescue!

Java (at least in the browser where it's a problem) I don't need ever.

Security holes... I also don't need ever.

I like this peace of mind. Apple's system means I will be secure without having to think about it. And if I ever REALLY want to use an older, insecure Flash, I have Firefox or Chrome to fall back on.

[Moonjumper]

Blocking by default is OK, but I wish it still allowed me to make an exception. I didn't have time to update Flash this morning, but I wanted to watch a short video on the BBC website, but couldn't because it had been blocked.

I'm used to Gmail hiding the content of a suspicious email, but it still allows me the option to view it. This should be the behaviour regarding the plugin.

[FloatingBones]

Quote:

Originally Posted by tigres

uNless you actually need java, like some people- myself included.

Quote:

Originally Posted by dwhittington

Agreed. Same here.

What application are you running that computationally requires Java in the browser in order to run?

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?

[tigres]

Quote:

Originally Posted by FloatingBones

What application are you running that computationally requires Java in the browser in order to run?

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?

Banking.
Finance.

80% of our sites use it.

[iMikeT]

Welcome to yesterday MacRumors.

[FloatingBones]

Quote:

Originally Posted by tigres

Quote:

Banking.
Finance.

You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?

[mohawkapple]

what exactly is java used for? I'm new to mac's also and not really sure how to enable or disable java lol
i do have flash player running on my mbp
thanks

[david shapiro]

Adobe FlashPlayer has been a pain lately.

[Amazing Iceman]

If it wasn't for a handful of sites I need to access that still require Flash, I would have already got rid of it. Same would apply to JAVA.
I really hope all sites start supporting HTML5/CSS3 soon.

----------

Quote:

Originally Posted by mohawkapple

what exactly is java used for? I'm new to mac's also and not really sure how to enable or disable java lol
i do have flash player running on my mbp
thanks

Well, it doesn't come preloaded with your MAC, so unless you manually installed it, you don't have it. Hopefully you may never need it.
Java is not the same as JavaScript, which is supported by Safari. No need to worry about JavaScript.

[podlasek]

Quote:

Originally Posted by FloatingBones

You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?

WOW, What world do you live in? In the world of Enterprise software specifically the latest version of Oracle Financials, Java is required for the system to function within the browser. During this time, we had to shut off Internet access for our users in order to ensure they would not be breached and could continue to do most of their job functions.

[lifeinhd]

Quote:

Originally Posted by FloatingBones

What application are you running that computationally requires Java in the browser in order to run?

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?

I had a client who called me the other week because the site she used to manage her real estate would no longer work on her Mac. Turns out it used Java, and Apple had disabled Java earlier that day.

You can argue all day long that Java/Flash/plugins shouldn't be necessary, but it doesn't change the fact that remotely disabling stuff with no opt-out or even warning is NOT okay.

[Jaymes]

Quote:

Originally Posted by FloatingBones

What application are you running that computationally requires Java in the browser in order to run?

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?

Have you ever worked in an enterprise environment? Java is widespread, because it is cross-platform. You only have to right software once, and it will work on Mac, Windows, mobile phone, an ATM, whatever. That's part of the reason people try to compromise it so often.

Unless Oracle somehow self-destructs, Java isn't going away anytime soon. Heck, even CrashPlan Pro (the supposed gold standard in Mac backup that Apple uses on 27,000 of its campus computers) uses a Java client to run. That's right - read it: Apple uses Java on nearly every desktop computer on their campus.

[oneofakind]

At least someone tried to protect their users more than others. *Cough*Microsoft*Cough

[a.gomez]

I guess the few people who still use Safari on a computer will get a pop up soon. This thing should go and join Ping

[tigres]

Quote:

Originally Posted by FloatingBones

You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?

Hmmm.

Ok I will convey your ideas to all the banking sites I use for my daily job.
Maybe they will listen, and pull in the it departments over the weekend and rebuild their respective sites.

[coolfactor]

I use Safari as my preferred browser, but I have Chrome set as the default so if I click any links from other applications, they open into Chrome. And if I ever need to view Flash content, I open it in Chrome. It's a simple copy-and-paste of the URL from the Safari address bar into Chrome. Simple.

----------

Quote:

Originally Posted by a.gomez

I guess the few people who still use Safari on a computer will get a pop up soon. This thing should go and join Ping

I still prefer Safari's "feel" over all other browsers that I use, and I use Safari, Chrome, Opera and Firefox on a near-daily basis. They all have their place.

[andrewm]

Quote:

Originally Posted by Jaymes

Have you ever worked in an enterprise environment? Java is widespread, because it is cross-platform. You only have to right software once, and it will work on Mac, Windows, mobile phone, an ATM, whatever. That's part of the reason people try to compromise it so often.

Unless Oracle somehow self-destructs, Java isn't going away anytime soon. Heck, even CrashPlan Pro (the supposed gold standard in Mac backup that Apple uses on 27,000 of its campus computers) uses a Java client to run. That's right - read it: Apple uses Java on nearly every desktop computer on their campus.

No, Java isn't going away. I don't think that Java itself is the problem, but rather the "sandbox" that can be broken-out-of on client operating systems. These systems don't get the latest patches when they need it most. I have relatives who don't know what Java is, who don't know how to disable it even if they do, and certainly don't give half a care if some software they can't identify is kept up-to-date.

I also suspect that Apple have a vested interest in preventing Macs from joining the millions of Windows PCs the world over that are unknowing members of criminal botnets. Maybe a point of pride.

This stream of issues isn't necessarily about these standalone apps. It is rather more focused upon applets that run within a Web browser. CrashPlan isn't (at least to my knowledge?) built as a browser applet. Even if it were to suffer technically from the same vulnerability, it might not be nearly as practical to exploit it.

When Java is enabled in the Web browser, that browser becomes a potential "open window" on to the operating system for anyone able to exploit such a vulnerability.

The "problem," as I see it, is applets, not Java standalone apps.

Organizations that require Java to be enabled in the browser are helping to keep this issue alive since going through the browser seems an increasingly-common central attack vector.

If Java simply didn't exist in the browser—if Applets were dead for good—people with apps that have Java dependencies (CyberDuck, CrashPlan, etc.) might not get locked out as often once something like this comes to light, as the level of risk, I feel, would likely be lower.

[Shrink]

Quote:

Originally Posted by a.gomez

I guess the few people who still use Safari on a computer will get a pop up soon. This thing should go and join Ping

Yeah, all three of us. And , of course, if we're dumb enough to use Safari, we're also too dumb to know how to compute safely.

Speaking for the three of us using Safari...thanks so much for the suggestion to join Ping.

[mohawkapple]

Quote:

Originally Posted by Amazing Iceman

If it wasn't for a handful of sites I need to access that still require Flash, I would have already got rid of it. Same would apply to JAVA.
I really hope all sites start supporting HTML5/CSS3 soon.

----------



Well, it doesn't come preloaded with your MAC, so unless you manually installed it, you don't have it. Hopefully you may never need it.
Java is not the same as JavaScript, which is supported by Safari. No need to worry about JavaScript.

Thanks for the info, how can I tell if I downloaded this java thing? I can't remember if I did or not lol
Sorry for the new be questions and thanks for any help

[samcraig]

Wait? People still use safari?

Buggiest browser I've ever used. Prefer Firefox and Chrome thanks.