Apple acknowledged on Thursday that it has updated its OSX plugin blacklist to reflect a critical vulnerability in Adobe Flash made public earlier this week.

Going forward in Safari, Apple will block any versions of the mechanism prior to and, on older systems.

An advisory on Apple’s support site points out that users running an older version of Flash may see a “Blocked plug-in,” “Flash Security Alert,” or “Flash out-of-date” message.  From there users will be prompted to download the most recent version of the player.

Adobe released patches on Tuesday to remedy three vulnerabilities Flash, including  a critical one, discovered by Google engineer Michele Spagnuolo, that could exfiltrate sensitive information. Using a tool Spagnuolo created dubbed Rosetta Flash, an attacker could convert malicious SWF files, bypass a JSONP callback and perform arbitrary requests.

Attackers could make the victim’s machine perform requests that could ultimately send data to an external, attacker-controlled domain,” Spagnuolo said in a blog on Tuesday.

Two other issues that resolve bypass vulnerabilities in Flash on all platforms were also patched on Tuesday.

Much like Mozilla did with Firefox before them, Apple first began to block old versions of Flash in Safari last year in hopes of getting users to stay better informed when it comes to the security and safety of their systems.

Safari users who for whatever reason must run older versions of Flash can still enable it on a website-by-website basis with Safari’s “Run in Unsafe Mode” in versions 6.1 or later of the browser.

Categories: Vulnerabilities