Apple blacklists older versions of Adobe Flash

The giant from Cupertino has updated one of its malware definition files, Xprotect.plist, to block versions of Flash for Mac OS X 10.6, OS X Lion, and OS X Mountain Lion that come before the latest 11.6.602.171 update.

"Adobe Flash Player updates are available that address a recently identified Adobe Flash Player web plug-in vulnerability," Apple explained on its support website. “To help protect users from a recent vulnerability, Apple has updated the web plug-in-blocking mechanism to disable older versions of the web plug-in: Adobe Flash Player.”

It means that anyone trying to view Flash content on unpatched machines will get hit with a "Blocked Plug-in" alert. When a user clicks on it, Safari says that Flash Player is out of date, and directs users to the update.

The ban comes after a security bulletin issued by Adobe last week warning of two vulnerabilities already being exploited against one browser (Mozilla Firefox), and a third vulnerability that could potentially be exploited. All of them could be used in Safari, Linux and Internet Explorer, however.

“Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which directs to a website serving malicious Flash (SWF) content,” the company said. “The exploit for CVE-2013-0643 and CVE-2013-0648 is designed to target the Firefox browser.”

Accordingly, Adobe released an emergency out-of-band patch for Flash – the third Flash update this month and the fourth this year. The update is for Flash Player 11.6.602.167 and earlier versions for Mac (and, incidentally, 11.2.202.270 and earlier versions for Linux, and 11.6.602.168 and earlier versions for Windows).

“These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.

Amidst a rash of zero-day events in the first part of the year, Apple has also pressed anti-malware blocking into service to force an earlier Flash Player update, as well as updates to Oracle's Java 7 Web plug-in.

What’s Hot on Infosecurity Magazine?