“Adobe frequently updates its Flash software with security improvements and other changes,” Peter Cohen reports for iMore.Seeing update messages has become routine enough that some malware developers have started using ‘Flash updates’ as a way of infecting your computer.”
“Fortunately, you can make sure you’re installing the real Flash by only downloading from Adobe’s web site,” Cohen reports. “If you’re prompted to install a Flash file from anywhere besides a domain ending in “adobe.com,” close your web browser window immediately.”
Cohen reports, “If you’d like to make sure you’re on top of things yourself, follow these steps to install or update Flash on your Mac safely.”
Full instructions here.
MacDailyNews Take: Never “Update Flash” from anywhere except via Adobe!
I’ve always been worried about this. Regularly an Adobe window pops up and asks me to download the newest Flash. I’ve always been suspicious but had no idea how else we could do this safely. Why doesn’t Apple force Adobe to do all updates via the App store? It’s pain to have to go to Adobe’s site and it’s just another issue with Adobe that makes me suspicious of everything they do.
This past week, Apple did add into XProtect the requirement to have the most current version of Flash installed. I tested it in Yosemite and it worked GREAT. It forces download directly from Adobe.
Not just this past week…. it’s been this way for a while (since the beginning of Yosemite?) There’s now a Preference Pane in System Preferences for managing Flash Player, and it has built-in update checking. When an update is required, it does take you to adobe.com.
No, I’m talking about a brand NEW feature added specifically into XProtect that checks what version of the Flash Internet plugin you have installed and STOPS you from using it if it’s not current, then gets you started updating it. It did not exist before last week. It’s not the same as the Flash Player Preferences pane.
No, collector is correct – this has been there in this form prior to anytime recent. e.g. http://www.intego.com/mac-security-blog/old-adobe-flash-versions-now-also-blocked-by-xprotect/ from a year ago…
darn autocorrect – coolfactor not collector
poofreading is a lost art
Apologies! Sort of! I’d forgotten that XProtect had it out for bad versions of Flash previously. (Me = stupid today). You’re correct in that assertion; Sorry for being a PITA!
– – What changed is that Apple updated XProtect to watch for more recent old versions of Flash, forcing users to use newer versions 17.0.0.134 or 13.0.0.277.
Gory Details for those interested:
Go to the location of the XProtect.plist files and check their date. They should say ‘March 20, 2015’. The update was apparently delayed for OS X 10.6.8 – 10.8.5 until this past Saturday. Yosemite got it on Friday.
The XProtect plist files are located here:
/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.plist & XProtect.meta.plist
Note that XProtect updates itself as long as a Mac is regularly connected to the Internet. If not, the download URL for the current version of the XProtect plist Installer package is:
http://swcdn.apple.com/content/downloads/04/35/031-18011/kkw59luj4hr4kek6bx1cmv9wg3timye6qf/XProtectPlistConfigData.pkg
What would I do without my buddy Al to keep my brain in order? I have a few friends like that. 🙂
I always use Apple’s System Preferences which includes a Flash Icon that can be used to update Flash.
That’s great!
How have I never noticed that? I’ve been typing “adobe.com” to download updates every time, like an idiot.
On first glance, it may appear great, but it is actually worse than useless, just go to the adobe website and download, it is just as easy.
Or use the preference pane and follow these steps:
Open system preferences
click on flash
click on update tab
click on update button
wait for Safari to launch (your last click triggered it)
now click the download button on the flash page (Make sure the bundleware check isn’t checked or your getting lightwave too)
Click the downloaded file to mount the disk image
Close Safari that Flash just opened
Close the system preferences pane you opened to get to flash updater
click the installer in the disk image
Authenticate
wait for the file you downloaded to actually download the updated flash components and install them.
click done
Wait for Safari to relaunch verifying your update
As you can see the flash preference pane is not really a good tool for updating, it not only doesn’t prove efficiency, it degrades it further. A perfect metaphor for Flash in general. In other words, One Hot Mess…
“wait for Safari to launch (your last click triggered it)”
Safari is always running on my system. Guess that’s not the case for you? Does your Safari take a while to start up, and you find that annoying?
Regardless how you obtain the update, the Flash Installer still requires that Safari be shut down… so annoying.
I just went to the Pref pane for Adobe. It told me there was a update and it was down loaded. Upon installation I received a dialogue box that said I had to turn off “www.apple.WebKit.Plugin64” Huh? What’s that? I didn’t finish the install. And it also brought in something from Cisco. All ejected.
I disagree, the Preference pane doesn’t add all of those steps, most are part of the Flash install anyway. The only steps using the Preference pane adds may be to check for an update, and then go directly to the download page. It may have already checked.
Here’s the thing, the Preference pane can be set to auto-install updates, but if you’re (rightfully) nervous about that, you can have it notify you instead (or turn this feature completely off).
So unless you have Never check for updates selected, that one step of checking for an update doesn’t need to be performed.
Either way, you’re going to your browser to download the new version of Flash. By going to the Preference pane, you go directly to the download page only if you need to upgrade.
By going to Adobe.com first, you have to load in the promotions on the front door, and then find the link to go to the download page… at which point you’ll continue the process to install regardless of whether or not you need an update.
Having the genuine version of Flash doesn’t cure the resource gobbling POS of its base problems. Best course is “Never install Flash”.
A steady boycott of flash is the best way to safety.
I have uninstalled Flash on all of my Macs. Using Safari as my main browser, if I encounter Flash content, I first try to emulate the mobile version of Safari under the “Develop” menu. If that sill does not work, I usually just skip the Flash content. If I really, really, really want to see the Flash content, I then select the “Open with Chrome” under the Develop menu, and the Flash that is contained within Chrome will allow me to view the content. When I quite Chrome, my Mac is again not burdened and encumbered with Flash.
Bingo. I’ve been effectively “Flash free” for 3 years now by only launching Chrome when I really want to see content with no Flash alternative.
From the pot into the frying pan..- same difference.
Flash installed = system wide plug-in, runs in Safari, have to manage with ClickToFlash or whatever.
Chrome with Flash built-in = Flash doesn’t run when I use my normal browser.
Taking your “same difference” fallacy further: I have to test things in Windows for work. It’s in a virtual machine, and I shut it down when I’m done. This is very obviously a HUGE difference from running Windows all the time in Bootcamp.
So you prefer to be at the mercy of google rather adobe …
Lesser of two evils is none.
There are rare (for me) circumstances that call for Flash. Visiting a single page once or twice a month in Chrome isn’t going to destroy my life, or make me unpure, or some other over-the-top extremist view.
Oh no, Google gets my IP address and sets/reads a few cookies a couple times a month! … which they get already when I use Google Maps a lot more.
And as Derek notes below, if you’re dead set against Chrome then Chromium is another option.
To each his/her own, suit yourself, I click to flash 😉
…then flush
You do realize that Chrome integrates Flash inside itself, right?
Google has been good about prompting to update Chrome with new versions of Flash. I personally use Chromium instead, in an effort to not hand over my soul to Google when I need to use it. I make certain I’m on the latest release version.
Another problem is that Google will sell your security for cost of an ad. Many people will go to Google.com and search for something like “Flash Update.” The first things that pop up are usually ads, unless you’re using some kind of add blocker.
The scum providing the update in the ads will have names like adobe.flash.uptoday.com. People don’t read the URL and click ok.
They then unknowingly provide their passwords to these people who install all kinds of crap with Flash. They redirect Safari’s home page, add toolbars that no one wants, add ons to screw up search results so that you go to yahoo no matter what and so on.
Hmm? Nearly every Google search displays ads along the top, above the actual search results. Ad blockers do not prevent those.
Something else to try in the never-ending effort to free yourself from Flash: The FlashToHTML5 extension:
http://www.joris-vervuurt.com/page9/page9.php
FlashToHTML5 replaces the CPU and memory hogging YouTube Flash Player with a HTML5 player.
Not only will it look nicer, you will also notice that your computer will run cooler and faster. If you use a laptop, you will also notice that the battery life of a fully charged battery will increase.
FlashToHTML5 will also automatically load the video at the highest quality available, WITHOUT advertisements!
The only downside is that subtitles and user-captions are not displayed, but that’s something I may add support for in the future. 😉
Download link:
http://www.joris-vervuurt.com/page9/page11/files/FlashToHTML5_3.2.zip
(The MacUpdate download link is broken, no idea why).
I’ve had two Mac only clients with this weird occurrence. They are receiving email directed to them, as part of a big list. The list appears to be made up of only people on their address books. They swear the address books exist only on their Mac. The first time I wrote off to this address list must exist somewhere else. But now, it’s starting to look like some kind of malware.
The other cause of this besides malware on their Macs could be that they send email out to multiple people without sending separate emails or the Bcc field.
Anyone recipient of an email with multiple addresses in the header can either knowingly be malicious and harvest them for spamming, or unknowingly be a victim of malware.
I’ve updated by REMOVING that piece of crap from my Mac. I’m going to try out Derek suggestion there. 😊
How about ‘Never use Flash PERIOD”
The Flash update never installs forcing me to find and run the full installer. Would be handier if the Sys Pref update feature actually updated it directly.
One major improvement Adobe announced in a previous update was this exact thing — Flash would update itself. It never did. Adobe is so incompetent. Their awful creative suite actually requires you to install Java! I have more respect for Microsoft (!!) than I do Adobe.
That’s what I always did. Even when they introduced automatic updates, which I didn’t activate, since I don’t trust them to keep this channel safe. And it seems it’s warranted since I had popups informing me my flash is out of date (you have version xz, here’s version xz+1)… only for me to find that there’s no new version on Adobe’s page, and both version numbers the fake update gave me were wrong.
Of course, the best way would be to get completely rid of this crap, but, alas, some content deliverers don’t listen.