Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Resolved Fake Flash update: How did this happen?

Nermal

Nermal

Moderator
Original poster
Staff member
Dec 7, 2002
21,441
5,319
New Zealand
I read the news earlier this week about the fake Flash update, and I just ran into it. I'm not sure how it happened though!

I'm using Safari and while visiting a site I had "Flash Player Install Manager" open itself and try to get me to continue, with dire warnings of security issues if I didn't update (I wish I'd taken a screenshot). However, Safari's Downloads window was empty and no DMG (or any other filetype) was added to my download folder.

Is this a newer, more "silent" type of attack? I force quit the installer and for good measure installed the latest Flash from Adobe's site, but I'm not sure how this "updater" managed to sneak onto my system! Any ideas? Should I look for any particular files that may now be hiding on my system? I don't see anything odd in Activity Monitor.

Thanks :eek:

Edit: False alarm, see posts 10 and 11 for details.
 
Last edited:
You shouldn't be infected unless you have the ~/Library/Preferences/Preferences.dylib file.
 
Was it an actual application, complete with its own menu bar? Or one of those extremely real looking and convincing pop-up windows that often trick PC users into downloading an antivirus product that is itself a nasty piece of malware?
 
It had a menu bar and dock icon. It was actually executable code running on my machine, which is why I'm so concerned about it!
 
Nermal said:
I read the news earlier this week about the fake Flash update, and I just ran into it. I'm not sure how it happened though!

I'm using Safari and while visiting a site I had "Flash Player Install Manager" open itself and try to get me to continue, with dire warnings of security issues if I didn't update (I wish I'd taken a screenshot). However, Safari's Downloads window was empty and no DMG (or any other filetype) was added to my download folder.

Is this a newer, more "silent" type of attack? I force quit the installer and for good measure installed the latest Flash from Adobe's site, but I'm not sure how this "updater" managed to sneak onto my system! Any ideas? Should I look for any particular files that may now be hiding on my system? I don't see anything odd in Activity Monitor.

Thanks :eek:
Click to expand...

Is this the item you're referring to?

 
Nermal said:
Wow, all the way back in August? I thought I read about it last week, how time flies!

I have OS X's automatic malware definition update feature turned on. The installer that appeared did not look like that; it was smaller and grey, like the proper Adobe installer.
Click to expand...

I had the same thing happen, and I'm not sure it's fake. I think what happened was that when you loaded a page that had a Flash element, Adobe's notification system sent a message to the Flash Updater on your system (it's a separate app that already exists, not 100% sure where it resides though), which then launched and prompted you to update. I reacted the same way you did, but I think it may have been legit after all. That explains why there was no download in Safari, though, because nothing actually was downloaded.

jW
 
Hmm, interesting. In eight years of using OS X I've never had it pop up like that. Of course, it could be a new feature in Flash 10.3 that just happens to have bad timing with the malware discovered in August.

I was on a legitimate site (amd.com) at the time, and I also see that Flash Player Install Manager is sitting in my Utilities folder and that its Created and Modified timestamps are both set to when I manually reinstalled Flash. It looks like it is legitimate, after all!

Sorry to everyone for the false alarm, although I'm sure that you can see why I was concerned :)
 
Last edited:
Nermal said:
Hmm, interesting. In eight years of using OS X I've never had it pop up like that. Of course, it could be a new feature in Flash 10.3 that just happens to have bad timing with the malware discovered in August.

I was on a legitimate site (amd.com) at the time, and I also see that Flash Player Install Manager is sitting in my Utilities folder and that its Created and Modified timestamps are both set to when I manually reinstalled Flash. It looks like it is legitimate, after all!

Sorry to everyone for the false alarm, although I'm sure that you can see why I was concerned :)
Click to expand...

I have disabled updates on every piece of software on my system except Apple and Chrome. Those other companies can send me requests which I continue to ignore. Flash isn't a huge security issue for me updated or not because I don't own a browser without a flashblock plugin that defaults to active (blocked).
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back