Got a tip for us? Share it...

New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

Apple Updates Anti-Malware Software to Block Older Versions of Adobe Flash Player Plug-in

As noted by Jim Dalrymple of The Loop, Apple today updated its malware definition file "Xprotect.plist" to block older versions of Adobe Flash Player in Safari. Versions of Flash that come before the latest 11.6.602.171 update will be automatically blacklisted.

xprotect_flash_11_6
To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player
The ban comes after a security bulletin issued by Adobe earlier this week, covering three different vulnerabilities and recommending an update to the newest version of Flash.

In recent weeks, Apple has aggressively used its anti-malware tools to enforce minimum plug-in versions in light of security issues affecting the software. Recent blocks have included a previous Flash Player update enforcement in early February, and several blocks of Oracle's Java 7 Web plug-in earlier this year.

Top Rated Comments

(View all)

20 months ago

What application are you running that computationally requires Java in the browser in order to run? :confused:

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?


I had a client who called me the other week because the site she used to manage her real estate would no longer work on her Mac. Turns out it used Java, and Apple had disabled Java earlier that day.

You can argue all day long that Java/Flash/plugins shouldn't be necessary, but it doesn't change the fact that remotely disabling stuff with no opt-out or even warning is NOT okay.
Rating: 7 Votes
20 months ago

uNless you actually need java, like some people- myself included.


Agreed. Same here.


What application are you running that computationally requires Java in the browser in order to run? :confused:

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?
Rating: 5 Votes
20 months ago

What application are you running that computationally requires Java in the browser in order to run? :confused:

Banking.
Finance.


You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?
Rating: 4 Votes
20 months ago
The safest way is still to uncheck the "Enable plug-ins" and "Enable Java" options in Safari.
Rating: 4 Votes
20 months ago

What application are you running that computationally requires Java in the browser in order to run? :confused:

What are you doing to convey to the software vendor that it is urgent to upgrade their service to eliminate the need for Java in the browser?


Have you ever worked in an enterprise environment? Java is widespread, because it is cross-platform. You only have to right software once, and it will work on Mac, Windows, mobile phone, an ATM, whatever. That's part of the reason people try to compromise it so often.

Unless Oracle somehow self-destructs, Java isn't going away anytime soon. Heck, even CrashPlan Pro (the supposed gold standard in Mac backup that Apple uses on 27,000 of its campus computers) uses a Java client to run. That's right - read it: Apple uses Java on nearly every desktop computer on their campus.
Rating: 4 Votes
20 months ago

The safest way is still to uncheck the "Enable plug-ins" and "Enable Java" options in Safari.


uNless you actually need java, like some people- myself included.
Rating: 3 Votes
20 months ago
Flash I still need... sometimes. ClickToFlash Safari extension to the rescue!

Java (at least in the browser where it's a problem) I don't need ever.

Security holes... I also don't need ever.

I like this peace of mind. Apple's system means I will be secure without having to think about it. And if I ever REALLY want to use an older, insecure Flash, I have Firefox or Chrome to fall back on.
Rating: 3 Votes
20 months ago

You don't understand the question. I'll rephrase: what is it about banking and finance that requires the computation be performed with Java in the browser?

As far as we can tell, it's simply a matter of complacency and laziness that is leaving your site with the risky implementation. You seem to not realize: apathy by businesses like yours is what is keeping this problem in place.

Are you perhaps hoping that Java will someday be secure?


WOW, What world do you live in? In the world of Enterprise software specifically the latest version of Oracle Financials, Java is required for the system to function within the browser. During this time, we had to shut off Internet access for our users in order to ensure they would not be breached and could continue to do most of their job functions.
Rating: 3 Votes
20 months ago

Wait? People still use safari?

Buggiest browser I've ever used. Prefer Firefox and Chrome thanks.


Some of us prefer having complete integration with the OS. Plus, I haven't experienced any show stopping bugs while using Safari.
Rating: 3 Votes
20 months ago

Ok I will convey your ideas to all the banking sites I use for my daily job. Maybe they will listen, and pull in the it departments over the weekend and rebuild their respective sites.


Nobody should come in this weekend, Tigres. What you should be asking is why you tolerate having your suppliers using a platform -- Java in the browser -- that has had zero-day exploits for at least a year and a half (http://www.grc.com/sn/sn-322.htm)?

What exactly is it going to take before your vendors -- and you -- get a wake-up call? Do you need to get a widespread zero-day spear phishing attack costing your company millions of dollars? Do you need a deadline from the DHS telling you that you must stop using Java in the browser? What will it take?

How does your company deal with providing solutions for the iPhone, iPad, Windows RT, and other platforms that do not support Java and Flash in the browser? Companies are delivering solutions via the app store on these platforms; WTF can't you do the same on the Mac platform?

I have a number of million+ dollar EMC RAID arrays that are managed by the Navisphere Java web GUI.


Exactly. It's mind-boggling why someone would be managing a million+ dollar product with a platform that continues to be vulnerable to zero day attacks. Why doesn't EMC package their solution through app stores? Why aren't their customers insisting on it?

AAPL hit a 52 week low today. Connection?


Zero. But why are you asking us? Why don't you just use a JVM search-engine (or perhaps just google (https://www.google.com)) to see if you can find one analyst -- anywhere -- who said that? :rolleyes:

Apple simply doesn't understand the enterprise, and stunts like disabling Java without warning help ensure that the enterprise will never trust Apple.


Here's a different cut: some employees managing million+ dollar equipment are oblivious to the clear and present risk of behavioral profiling to introduce exploits into the enterprise. They know that employees have programmed themselves to click "ignore" when a "potential security issue" warning pops up. Apple is looking for comprehensive solutions to these problems -- using the App Store for managing these custom apps rather than the risk of running unverified software in the browser.

Is there some good reason that EMC couldn't package the Java GUI and deliver it through the App Store? :confused:

@Aiden: EMC hit their 52-week low on Friday -- the same day you told us they use platforms that are constantly being attacked by new zero-day exploits. Connection? :rolleyes:
Rating: 2 Votes

[ Read All Comments ]