On the heels of a major Adobe Flash Player update two weeks ago, Apple last night updated its blacklist to include older versions of the software.
In its advisory, Apple said it will begin blocking out-of-date versions of Flash in its Safari browser.
“If you’re using an out-of-date version of the Adobe Flash Player plug-in, you may see the message ‘Blocked plug-in,’ ‘Flash Security Alert,’ or ‘Flash out-of-date’ when attempting to view Flash content in Safari,” the Apple advisory said.
This is not an unprecedented move from Apple, which on several occasions dating back to 2012 has proactively blocked Flash, especially after major updates or publicly reported attacks.
Apple said there is a provision in Safari called Internet Plug-in Management that allows users who require the older version of Flash Player to run it in safe mode until they’re able to update.
On May 12, Adobe released an updated version of Flash Player for Windows and Mac OS X—along with new Reader and Acrobat software—that addressed 18 vulnerabilities. None of the security flaws have been publicly exploited, Adobe said. All of the vulnerabilities, however, enable an attacker to remotely take control of a compromised computer.
Windows and Mac OS X users were urged to update to Flash Player 17.0.0.188.
The update addressed four memory corruption vulnerabilities, one heap overflow flaw, an integer overflow bug, three type confusion bugs, and a use-after-free vulnerability that allow an attacker to run code remotely and control a machine.
The Flash update also addressed a time-of-check time-of-use race condition that bypasses Internet Explorer’s Protected Mode. Three other bugs were patched that allow an attacker to write data to a file system with the same permission as the user. Two memory leak issues were also addressed that lead to bypass of Address Space Layout Randomization (ASLR) and a separate security bypass vulnerability that could lead to information disclosure.
Flash continues to be one of the most targeted pieces of third-party software.
Earlier this year, a zero-day vulnerability in Flash Player was exploited in targeted attacks against Forbes.com; the ultimate targets were a number of U.S. defense contractors and financial services firms. The attackers used a Flash zero day and another in Internet Explorer in a watering hole attack against Forbes.com to target workers in the critical industries.
This attack was reported days after a trio of zero-day vulnerabilities wreaked havoc, one of which was quickly integrated into the Angler Exploit Kit and used to compromise 1,800 domains, Cisco researchers said in early February. Days later, the Hanjuan Exploit Kit was also using a Flash zero day, the last to be patched by Adobe, leading researchers at Trustwave to surmise it was the same criminal group behind both.