Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in

MacRumors

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,481
30,717



As noted by Jim Dalrymple of The Loop, Apple today updated its malware definition file "Xprotect.plist" to block older versions of Adobe Flash Player in Safari. Versions of Flash that come before the latest 11.6.602.171 update will be automatically blacklisted.

xprotect_flash_11_6.jpg
To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player
Click to expand...
The ban comes after a security bulletin issued by Adobe earlier this week, covering three different vulnerabilities and recommending an update to the newest version of Flash.

In recent weeks, Apple has aggressively used its anti-malware tools to enforce minimum plug-in versions in light of security issues affecting the software. Recent blocks have included a previous Flash Player update enforcement in early February, and several blocks of Oracle's Java 7 Web plug-in earlier this year.

Article Link: Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in
 
Article Link
https://www.macrumors.com/2013/03/01/apple-updates-anti-malware-software-to-block-older-versions-of-adobe-flash-player-plug-in/
Yvan256

Yvan256

macrumors 603
Jul 5, 2004
5,081
998
Canada
The safest way is still to uncheck the "Enable plug-ins" and "Enable Java" options in Safari.
 
S

SirYossi

macrumors regular
Jan 4, 2012
117
1
Penfield
Another Reason why Jobs was against Flash

MacRumors said:
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]


As noted by Jim Dalrymple of The Loop, Apple today updated its malware definition file "Xprotect.plist" to block older versions of Adobe Flash Player in Safari. Versions of Flash that come before the latest 11.6.602.171 update will be automatically blacklisted.

The ban comes after a security bulletin issued by Adobe earlier this week, covering three different vulnerabilities and recommending an update to the newest version of Flash.

In recent weeks, Apple has aggressively used its anti-malware tools to enforce minimum plug-in versions in light of security issues affecting the software. Recent blocks have included a previous Flash Player update enforcement in early February, and several blocks of Oracle's Java 7 Web plug-in earlier this year.

Article Link: Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in
Click to expand...

just wish flash would just go away ti is always crashing the web and is a damm memory hog.
 
nagromme

nagromme

macrumors G5
May 2, 2002
12,546
1,196
Flash I still need... sometimes. ClickToFlash Safari extension to the rescue!

Java (at least in the browser where it's a problem) I don't need ever.

Security holes... I also don't need ever.

I like this peace of mind. Apple's system means I will be secure without having to think about it. And if I ever REALLY want to use an older, insecure Flash, I have Firefox or Chrome to fall back on.
 
Moonjumper

Moonjumper

macrumors 68030
Jun 20, 2009
2,740
2,908
Lincoln, UK
Blocking by default is OK, but I wish it still allowed me to make an exception. I didn't have time to update Flash this morning, but I wanted to watch a short video on the BBC website, but couldn't because it had been blocked.

I'm used to Gmail hiding the content of a suspicious email, but it still allows me the option to view it. This should be the behaviour regarding the plugin.
 
FloatingBones

FloatingBones

macrumors 65816
Jul 19, 2006
1,485
745
tigres said:
FloatingBones said:
What application are you running that computationally requires Java in the browser in order to run? :confused:
Click to expand...
Banking.
Finance.
Click to expand...

You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?
 
mohawkapple

mohawkapple

macrumors member
Feb 24, 2013
33
0
k-town
what exactly is java used for? I'm new to mac's also and not really sure how to enable or disable java lol
i do have flash player running on my mbp
thanks
 
Amazing Iceman

Amazing Iceman

macrumors 603
Nov 8, 2008
5,284
4,030
Florida, U.S.A.
If it wasn't for a handful of sites I need to access that still require Flash, I would have already got rid of it. Same would apply to JAVA.
I really hope all sites start supporting HTML5/CSS3 soon.

----------
mohawkapple said:
what exactly is java used for? I'm new to mac's also and not really sure how to enable or disable java lol
i do have flash player running on my mbp
thanks
Click to expand...

Well, it doesn't come preloaded with your MAC, so unless you manually installed it, you don't have it. Hopefully you may never need it.
Java is not the same as JavaScript, which is supported by Safari. No need to worry about JavaScript.
 
podlasek

podlasek

macrumors member
Feb 28, 2008
70
21
USA
FloatingBones said:
You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?
Click to expand...

WOW, What world do you live in? In the world of Enterprise software specifically the latest version of Oracle Financials, Java is required for the system to function within the browser. During this time, we had to shut off Internet access for our users in order to ensure they would not be breached and could continue to do most of their job functions.
 
lifeinhd

lifeinhd

macrumors 65816
Mar 26, 2008
1,428
58
127.0.0.1
FloatingBones said:
What application are you running that computationally requires Java in the browser in order to run? :confused:

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?
Click to expand...

I had a client who called me the other week because the site she used to manage her real estate would no longer work on her Mac. Turns out it used Java, and Apple had disabled Java earlier that day.

You can argue all day long that Java/Flash/plugins shouldn't be necessary, but it doesn't change the fact that remotely disabling stuff with no opt-out or even warning is NOT okay.
 
J

Jaymes

macrumors regular
Nov 30, 2007
104
182
FloatingBones said:
What application are you running that computationally requires Java in the browser in order to run? :confused:

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?
Click to expand...

Have you ever worked in an enterprise environment? Java is widespread, because it is cross-platform. You only have to right software once, and it will work on Mac, Windows, mobile phone, an ATM, whatever. That's part of the reason people try to compromise it so often.

Unless Oracle somehow self-destructs, Java isn't going away anytime soon. Heck, even CrashPlan Pro (the supposed gold standard in Mac backup that Apple uses on 27,000 of its campus computers) uses a Java client to run. That's right - read it: Apple uses Java on nearly every desktop computer on their campus.
 
a.gomez

a.gomez

macrumors 6502a
Oct 10, 2008
924
726
I guess the few people who still use Safari on a computer will get a pop up soon. This thing should go and join Ping
 
tigres

tigres

macrumors 601
Aug 31, 2007
4,213
1,326
Land of the Free-Waiting for Term Limits
FloatingBones said:
You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?
Click to expand...

Hmmm.

Ok I will convey your ideas to all the banking sites I use for my daily job.
Maybe they will listen, and pull in the it departments over the weekend and rebuild their respective sites.

:rolleyes:
 
C

coolfactor

macrumors 604
Jul 29, 2002
7,040
9,696
Vancouver, BC
I use Safari as my preferred browser, but I have Chrome set as the default so if I click any links from other applications, they open into Chrome. And if I ever need to view Flash content, I open it in Chrome. It's a simple copy-and-paste of the URL from the Safari address bar into Chrome. Simple.

----------
a.gomez said:
I guess the few people who still use Safari on a computer will get a pop up soon. This thing should go and join Ping
Click to expand...

I still prefer Safari's "feel" over all other browsers that I use, and I use Safari, Chrome, Opera and Firefox on a near-daily basis. They all have their place.
 
A

andrewm

macrumors regular
Apr 2, 2004
132
3
Los Angeles, CA
Jaymes said:
Have you ever worked in an enterprise environment? Java is widespread, because it is cross-platform. You only have to right software once, and it will work on Mac, Windows, mobile phone, an ATM, whatever. That's part of the reason people try to compromise it so often.

Unless Oracle somehow self-destructs, Java isn't going away anytime soon. Heck, even CrashPlan Pro (the supposed gold standard in Mac backup that Apple uses on 27,000 of its campus computers) uses a Java client to run. That's right - read it: Apple uses Java on nearly every desktop computer on their campus.
Click to expand...

No, Java isn't going away. I don't think that Java itself is the problem, but rather the "sandbox" that can be broken-out-of on client operating systems. These systems don't get the latest patches when they need it most. I have relatives who don't know what Java is, who don't know how to disable it even if they do, and certainly don't give half a care if some software they can't identify is kept up-to-date.

I also suspect that Apple have a vested interest in preventing Macs from joining the millions of Windows PCs the world over that are unknowing members of criminal botnets. Maybe a point of pride.

This stream of issues isn't necessarily about these standalone apps. It is rather more focused upon applets that run within a Web browser. CrashPlan isn't (at least to my knowledge?) built as a browser applet. Even if it were to suffer technically from the same vulnerability, it might not be nearly as practical to exploit it.

When Java is enabled in the Web browser, that browser becomes a potential "open window" on to the operating system for anyone able to exploit such a vulnerability.

The "problem," as I see it, is applets, not Java standalone apps.

Organizations that require Java to be enabled in the browser are helping to keep this issue alive since going through the browser seems an increasingly-common central attack vector.

If Java simply didn't exist in the browser—if Applets were dead for good—people with apps that have Java dependencies (CyberDuck, CrashPlan, etc.) might not get locked out as often once something like this comes to light, as the level of risk, I feel, would likely be lower.
 
Shrink

Shrink

macrumors G3
Feb 26, 2011
8,929
1,727
New England, USA
a.gomez said:
I guess the few people who still use Safari on a computer will get a pop up soon. This thing should go and join Ping
Click to expand...

Yeah, all three of us. And , of course, if we're dumb enough to use Safari, we're also too dumb to know how to compute safely.

Speaking for the three of us using Safari...thanks so much for the suggestion to join Ping.:rolleyes:
 
mohawkapple

mohawkapple

macrumors member
Feb 24, 2013
33
0
k-town
Amazing Iceman said:
If it wasn't for a handful of sites I need to access that still require Flash, I would have already got rid of it. Same would apply to JAVA.
I really hope all sites start supporting HTML5/CSS3 soon.

----------



Well, it doesn't come preloaded with your MAC, so unless you manually installed it, you don't have it. Hopefully you may never need it.
Java is not the same as JavaScript, which is supported by Safari. No need to worry about JavaScript.
Click to expand...

Thanks for the info, how can I tell if I downloaded this java thing? I can't remember if I did or not lol
Sorry for the new be questions and thanks for any help
 
S

samcraig

macrumors P6
Jun 22, 2009
16,779
41,982
USA
Wait? People still use safari?

Buggiest browser I've ever used. Prefer Firefox and Chrome thanks.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom