PDA

View Full Version : Malware for macOS, another reason to avoid Adobe Flash!



Raz0rEdge
05-05-2017, 11:44 AM
There's not a single reason that anyone should be installing Adobe Flash on their machine, if you absolutely need to use Flash for a website then consider using the Flash that comes bundled with Chrome. If the website complains that the version of Flash is not new enough, I think it's time to move on from that website.

A new malware that has been around for a long time in the Windows world has recently jumped over to the macOS world. This one is sneaky since this particular Adobe Flash Installer zip file contains a legitimate copy of Flash installer and while installing that, it also installs the backdoor covertly.

If, despite all reason, you absolutely need Adobe Flash, then only download it directly from Adobe's site. However, realize that Adobe itself has stopped working on Flash and is strongly suggesting getting away from it.

Read more: https://9to5mac.com/2017/05/05/windows-backdoor-malware-disguises-itself-as-adobe-flash-on-macos/

ferrarr
05-05-2017, 08:31 PM
Thanks Ashwin, I haven't had Adobe flash installed for a long time. I avoid Flash sights altogether.

harryb2448
05-06-2017, 12:07 AM
I say where's McBie?

McBie
05-06-2017, 01:19 PM
Ah ... Harry, I just found this thread :-)

Flash should die ..... swiftly and with style.

Flash and Java are the worst nightmare when it comes to vulnerabilities and threats.
I tried silver bullets and all that but somehow, ( for a reason that is beyond me ) Flash is still alive.

Otherwise ... I love Adobe.

Hold on a second here ..... is this true ?

... However, realize that Adobe itself has stopped working on Flash and is strongly suggesting getting away from it./ (https://9to5mac.com/2017/05/05/windows-backdoor-malware-disguises-itself-as-adobe-flash-on-macos/)
Maybe my prayers have been heard :-)

Cheers ... McBie

Raz0rEdge
05-06-2017, 02:10 PM
Hold on a second here ..... is this true ?

Maybe my prayers have been heard :-)

Cheers ... McBie

Yeah when Apple completely went away from it a couple of years back, Adobe threw the towel in and said yes Flash is a resource hog and has security issues and no we aren't going to fix any of it, so stop using it..to paraphrase, of course :)

harryb2448
05-06-2017, 05:36 PM
Flash is esxzential for those of us running educational programs alas. Time you came up with an alternative McBie

For mine problems only come about when folks do not update via System Preferences or allowing Adobe to do automatic updates.

McBie
05-07-2017, 09:27 AM
Flash is esxzential for those of us running educational programs alas. Time you came up with an alternative McBie
.

In terms of " alternatives " , I can only speak for myself and I have been Flash and Java free for a long time now. Not missing it at all.
I have not even bothered looking for alternatives. If I stumble across Flash based content, I immediately skip it. Don't need it and I don't want it.

I do understand that there is still a lot of Flash enabled solutions being used that will be hard to replace.

For me, Flash should die, swiftly and ....... :-)

Cheers ... McBie

ProTruckDriver
05-07-2017, 04:09 PM
I believe Adobe Flash came installed with my new Mac because I don't remember installing it. When I come upon a website that needs Flash, Safari warns me if I want to enable Flash. When I look up Adobe Flash on Spotlight search I get "Adobe Flash Player Management Uninstaller". With all the reports on Adobe Flash, I don't want it installed on the Mac. Is that the proper way to uninstall Adobe Flash from the "Adobe Flash Player Management Uninstaller" that I'm seeing?

26407

26408

26409

chscag
05-07-2017, 04:17 PM
Yes, use the uninstall routine that comes with the Adobe Flash Player. If for some reason you need to access a site that uses Flash, switch your browser to Chrome temporarily to view that site. Chrome has its own version of Flash built in which is safe to use.

ProTruckDriver
05-07-2017, 04:21 PM
Thank you chscag, Uninstalling now. Good to know about Chrome. :)

ferrarr
05-08-2017, 12:43 PM
Honestly. IMHO, there is zero trust that there is no or little malware for macs. I believe more malware experts are trained in windows than mac.

If you google malware forums, you will find numerous malware forums dedicated to windows.

Since the user base for OS X is so small compared to windows, sure, most people may probably just target windows, but, this also means less testers for OS x, so it could just be that more zero days exist for os x which just not have been discovered yet. Less malware detected does not mean there actually is less malware for macs !

I can see more people targeting vulnerabilites in java and flash now, to ensure all OS's are covered.
Which is why, some users here, myself included, recommend using a Standard User account, and only using an Admin User account when needed.

McBie
05-08-2017, 02:01 PM
Does it really make a difference though ?

Bcuz the admin's account could still possibly be extracted. Whether logged in or not.

Not sure I understand what you mean.
Can you elaborate a bit more please ?
I am always interested to learn something new.

Cheers ... McBie

ferrarr
05-08-2017, 08:23 PM
I don't understand what is meant by, "admin account could still possibly be extracted"?

IWT
05-10-2017, 07:11 AM
And for those you need to use Flash, the latest version has just been released - 25.0.0.171

Ian

Cr00zng
05-10-2017, 11:27 AM
There's not a single reason that anyone should be installing Adobe Flash on their machine, if you absolutely need to use Flash for a website then consider using the Flash that comes bundled with Chrome. If the website complains that the version of Flash is not new enough, I think it's time to move on from that website.

A new malware that has been around for a long time in the Windows world has recently jumped over to the macOS world. This one is sneaky since this particular Adobe Flash Installer zip file contains a legitimate copy of Flash installer and while installing that, it also installs the backdoor covertly.

If, despite all reason, you absolutely need Adobe Flash, then only download it directly from Adobe's site. However, realize that Adobe itself has stopped working on Flash and is strongly suggesting getting away from it.

Read more: https://9to5mac.com/2017/05/05/windows-backdoor-malware-disguises-itself-as-adobe-flash-on-macos/

Quote from the referenced link...


Having used a valid developerís certificate, the malware was set to run free on macOS even with Gatekeeper enabled.

I don't intend to stand up for Flash, quite the opposite, but...

This malware had been made possible by exploiting the developer's certificate and not Flash in itself. This is on Apple, who manages the developers' certificate and they let this one slide by.

You could name any other programs on the macOS that could also be exploited by a valid developer's certificate.

Again, I am not protecting Flash here and does deserve to die, but this malware is not one of the reason...

Cr00zng
05-10-2017, 11:36 AM
Which is why, some users here, myself included, recommend using a Standard User account, and only using an Admin User account when needed.

When the software, like Flash, requires admin user account and password, logging in with a standard user account is little use. The OS will prompt the end user to enter the admin account credentials. If the malware is any good, it'll capture the admin credentials as they are entered right then.

That's not to say I disagree with you about logging in with standard user account. Quite the opposite, On my system, I do it regardless if it is macOS, Windows, or Linux. I also set up my clients with Mac on the same way. However, doing so provides limited protection since it is bypassed by the end user if and when software is installed...

chscag
05-10-2017, 03:34 PM
Good point about using a Standard account. It's OK to use it but as noted, an admin password is required to do certain installations and updates. And any malware that wants to be installed has to go thru an admin which means entering the password anyway.

Using a standard account in Windows is good procedure but I'm not so sure it's really needed when running OS X.

Cr00zng
05-10-2017, 06:25 PM
Using a standard account in Windows is good procedure but I'm not so sure it's really needed when running OS X.
In my view, standard account is a good practice on both platform...

The user account control will pop up on both platforms, if and when admin account credentials are required. This is a nag, especially at the time the end user knowingly installs software. On the other hand, if and when malware downloaded through the browser and tries to install itself, at least the pop up will be an alert for the end user. This will take place regardless, if the standard or admin account logged in. The difference is that, if the admin is logged in and the pop up is suppressed, the malware can continue installing itself. While I doubt that there's a malware that would suppress the pop up on the macOS, there are number of them on the Windows platform. As more and more malware converted for macOS, including the suppressing account control pop up will make its way there too.

Just my opinion on the subject...

pigoo3
05-11-2017, 10:09 AM
Just wondered bcuz the 2016 mbp is so ludicrously expensive, despite the removal of a SD card and USB-C slots and magsafe!

Using United States pricing. I would agree that the 2016 13" MBP has increased quite a bit vs. earlier releases. I would disagree about the 2016 15" MBP being more expensive...it's actually less expensive than the previous four 15" MBP releases.:)

- Entry Level 13" 2016 MBP = $1799
- Entry Level 13" 2015 MBP = $1299
- Entry Level 13" 2014 MBP = $1299
- Entry Level 13" 2013 MBP = $1299

- Entry Level 15" 2016 MBP with dual graphics = $2399
- Entry Level 15" 2015 MBP with dual graphics = $2499
- Entry Level 15" 2014 MBP with dual graphics = $2499
- Entry Level 15" 2013 MBP with dual graphics = $2599
- Entry Level 15" 2012 MBP with dual graphics = $2599

In either case...I'm not sure I would use the term "ludicrously expensive". There are numbers a lot larger than these. "Ludicrously Expensive" (to me) for a 13" MBP would be something like $50,000! lol

- Nick

Cr00zng
05-11-2017, 07:59 PM
Using United States pricing. I would agree that the 2016 13" MBP has increased quite a bit vs. earlier releases. I would disagree about the 2016 15" MBP being more expensive...it's actually less expensive than the previous four 15" MBP releases.:)

- Entry Level 13" 2016 MBP = $1799
- Entry Level 13" 2015 MBP = $1299
- Entry Level 13" 2014 MBP = $1299
- Entry Level 13" 2013 MBP = $1299

- Entry Level 15" 2016 MBP with dual graphics = $2399
- Entry Level 15" 2015 MBP with dual graphics = $2499
- Entry Level 15" 2014 MBP with dual graphics = $2499
- Entry Level 15" 2013 MBP with dual graphics = $2599
- Entry Level 15" 2012 MBP with dual graphics = $2599

In either case...I'm not sure I would use the term "ludicrously expensive". There are numbers a lot larger than these. "Ludicrously Expensive" (to me) for a 13" MBP would be something like $50,000! lol

- Nick

I've purchased my 2013 MBP for US$1,499.00 at the end of 2013, the price difference was due to extending the memory to 8GB and 256GB PCIe-based Flash Storage. There was no Windows based laptops that had PCIe storage option and not many with the SSD option back in 2013. The latter one had been more expensive than the MBP by anywhere between $300-500, for the same or 512GB storage, depending on the OEM. While I did not want a MBP, the PCIe storage made my decision easier. That, and I had some clients lining up, who had Macs.

Fast forward to 2016, and to some extent to 2017, where the MBP didn't receive much hardware improvement, if any. The price increase of 500 bucks for the 13" with touch bar is not justified in my view ("Ludicrously Expensive"), other than paying the Apple-tax. At the same time, OEMs, did catch up with Apple. Windows laptop hardware with PCIe storage option in addition to touch screen, similar to my 2013 MCP, can be had for ~1,200 bucks (US $). I am not certain what Apple intends to do with the MBP, other than pricing the MBP out of the market. I for one rather get a Windpows laptop with similare hard for less, much less...

chscag
05-11-2017, 09:26 PM
There was an interesting article today in the Macworld Daily update comparing the latest Apple notebook computers to the popular Microsoft Surface Pro models. They compared hardware and also prices and value. The latest Apple MacBook Pros were definitely one up on the MS machines, however, they are about $300 to $500 more expensive.

I was in our local Staples store this afternoon browsing around and looking at the latest laser printers. I had a chance to look over the latest Dells, HP, and the Surface Pro models. (This particular Staples does not carry Apple computers, only the iPads.) I have to admit I was impressed with the HP models and what they had to offer for the price. The only thing that turned me off very quickly was Windows 10.

Cr00zng
05-12-2017, 09:21 AM
There was an interesting article today in the Macworld Daily update comparing the latest Apple notebook computers to the popular Microsoft Surface Pro models. They compared hardware and also prices and value. The latest Apple MacBook Pros were definitely one up on the MS machines, however, they are about $300 to $500 more expensive.

And that price difference may disappear, if an when the display option is changed. For example, the very nice and comparable to MBP Dell XPS default display is 1920x1080 or FHD. Choose the optional 3200x1800 (QHD), that's a $300 option. It's the same that OEMs did with SSDs and later with the PCIe storage option. Do you want something that is really good? Well, pay up... By now, the SSD/PCIe storage options are pretty much becoming a standard. Once the QHD display option becomes the default, the Windows laptops will be no brainier.

That's not to say that the default display is bad. It's just that nowadays the default display option is too old in my view...


I was in our local Staples store this afternoon browsing around and looking at the latest laser printers. I had a chance to look over the latest Dells, HP, and the Surface Pro models. (This particular Staples does not carry Apple computers, only the iPads.) I have to admit I was impressed with the HP models and what they had to offer for the price. The only thing that turned me off very quickly was Windows 10.

The applications determine the platform first and foremost, the personal preference comes in second. I use both platforms, but my preference is the Mac for number of reasons. On the other hand, if you remove all of the "telemetry functions" from Windows 10 Pro, it is just as fast as the MBP. I have a 5 years old Thinkpad pro with Windows 10 Pro that starts up just as fast, if not faster than my MBP from 2013...

Alwyn
05-15-2017, 03:29 AM
I am sure I'm not alone in already having Adobe Flash. If I were to delete it would that remove the hidden malware if it's there. I think I downloaded it originally from Adobe and likewise all the updates but can't be certain.

harryb2448
05-15-2017, 06:05 AM
Just make sure it is up to date, currently version 25.0.00.171.

Alwyn
05-15-2017, 10:31 AM
I think it was me not 'Ashwin' who posted a question about Flash Player. My post has now vanished. There were 2 Flash Players showing on my desktop. The only option was eject so I tried dragging it to the trash but it didn't seem to be visible there. Anyway I found Flash manager and uninstalled Flash from there.

Slydude
05-16-2017, 01:21 AM
The two Flash players that you saw were probably disk images. This is a common way of distributing software. Dragging them into the trash is the same as using that method to eject disks. When that method is used they do not appear in the trash.

As to whether these were legitimate downloads. There no way to know if they were legit now.

cslogg
05-19-2017, 03:40 PM
I need help with this one.
I have an imac with latest os running Safari and Firefox browser.
Following advice I uninstalled Flash.
Trouble is when running my Virgin Media channels I am getting no picture.
Reinstalled Flash and picture returns.
Again following advice I installed Chrome and updated its version of Flash but again no picture.
All i am seeing where the picture should be is what looks like a broken picture in the top left picture.
So i cannot yet get rid of Flash.

Raz0rEdge
05-19-2017, 03:53 PM
There are many sites that still depend on Flash to show videos. In most cases, running the latest version of Chrome will get you what you need, but you have to make sure that Flash is enabled in Chrome..

In Chrome, go to Settings by hitting CMD+, and then click Show Advanced Settings at the bottom. Now click on Content Settings under the Privacy section. The fifth option in the pop-up should be Flash and see what your setting is. Mine is Block sites from running Flash with a few exceptions.

You would like add the Virgin Media as an exception.

I also have Adblock and uBlock Origin running to block ads, so while Flash videos will play on some sites, all ads (Flash or otherwise) are blocked..

cslogg
05-19-2017, 04:23 PM
I have followed your settings but now i am getting "device could not be detected" message when clicking to watch a Virgin channel.

cslogg
05-24-2017, 03:21 AM
Sorry to bring this up again but i still cannot resolve this.
Looks like i cannot use Chrome to watch Virgin Anywhere online.
On Firefox which is my preferred browser i can only get a small picture and no full screen.
On Safari the selected channel does not load at all just get "loading" icon.
It does seem to be only Virgin Anywhere that i have these problems.

Randy B. Singer
05-24-2017, 04:39 AM
Sorry to bring this up again but i still cannot resolve this.
Looks like i cannot use Chrome to watch Virgin Anywhere online.
On Firefox which is my preferred browser i can only get a small picture and no full screen.
On Safari the selected channel does not load at all just get "loading" icon.
It does seem to be only Virgin Anywhere that i have these problems.

Let's start from scratch and see if we can fix the problem.

Quit any browsers you have installed.

Download this uninstaller, and use it to completely uninstall the copy of Flash that you currently have installed:
http://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.html

Now download this full Flash installer from this Adobe site (instead of using the get.adobe.com/flashplayer/ site).
http://fpdownload.macromedia.com/pub/flashplayer/latest/help/install_flash_player_osx.dmg
Use it to install a complete fresh copy of Flash Player.

Now, if you have Safari, make sure that Flash is enabled in Safari:
Choose Safari menu --> Preferences
Click the Security tab.
Make sure that Enable JavaScript is selected.
Make sure that Allow Plug-Ins is selected.
Next to Allow Plug-ins, click Manage Website Settings
Select Adobe Flash Player in the far left column.
In the "When visiting other websites” menu, choose Allow.

If you have Firefox, it should use the latest version of Flash that you have installed automatically. If it doesn't, you have to tell it to in:
Firefox menu --> Preferences --> Applications

See if that helps.

cslogg
05-24-2017, 05:20 AM
Did all of the above but still no progress.
Safari is the same, just get loading screen on selecting channel.

In Firefox ,Flash does not even appear in the Applications section you mentioned although it is in the plug ins? section and "always activate" next to it.
Then channel does play but on a tiny screen, if I can only get the screen bigger I will be happy.
There is an icon to make the screen bigger within the tv picture but I get no response when clicking on it.

Randy B. Singer
05-24-2017, 06:26 AM
Did all of the above but still no progress.

Okay, let's try a different tact.

Download this free, very modern browser:

Brave (free)
https://www.brave.com/

You shouldn't have to do anything to it, just run it and see how it handles the Web site you are trying to access.

cslogg
05-24-2017, 07:14 AM
Getting the same results with Brave as with Safari.
only difference is in brave I do not get a "loading" message when clicking on a channel, just a blank white square.
brave works fine with youtube and bbc iplayer though.
Maybe its not Flash but the actual Virgin site ?

cslogg
05-24-2017, 01:46 PM
I an an idiot.
Stumbled on the Firefox solution.
I should be double not single clicking on the icon to go full screen.
Cannot figure out the Safari problem though.
Probably do not need Safari and Brave so will probably ditch one.

Randy B. Singer
05-24-2017, 09:44 PM
Stumbled on the Firefox solution.

Well, I'm glad that it worked in one of the browsers you tried!

Sometimes my experience also is that something will only play or render in one browser. That's one of the reasons that I keep a number of them installed and handy.

harryb2448
05-25-2017, 02:04 AM
Randy in your vast experience, how much actual trouble is caused by busing genuine Flash software compared to the pages and pages of reports, type etc written about it?

Randy B. Singer
05-25-2017, 07:49 AM
Randy in your vast experience, how much actual trouble is caused by busing genuine Flash software compared to the pages and pages of reports, type etc written about it?

A few years back there were a number of nasty bits of malware based on Flash, and at that time it looked like Flash was going to be an endless vector for new infections.

To their credit, Adobe has been *excellent* about getting out updates to Flash as quickly as possible to patch against active malware and potential vulnerabilities. It's not like tons of Mac users were infected by Flash-based malware. It's more like a bit of Flash malware would show up/be identified, it would be patched a day or two later, and then it would disappear completely.

About three years ago Apple sent out an update for the MacOS that totally disabled older, vulnerable versions of Flash, forcing folks to update to a newer version of Flash (if they decided to continue using Flash) that had very much increased security. Since then, there have been no new Flash-based malware examples released into the wild (or at least no ones that have made any headlines, because they weren't successful), and Adobe has continued to quickly update Flash as soon as they have become aware of potential vulnerabilities. Sometimes updating Flash several times in the same month.

So, as long as you keep Flash updated (and you can set Flash to auto-update), Flash seems to be extremely secure at this point.

However, one big problem is that there is malware (Trojan Horses, such as Genieo) that masquerades as legitimate Flash updates. Folks go to a compromised Web site, they see a pop-up that says that they need to download a Flash update, and they click on "yes," infecting themselves. Technically this isn't a Flash problem, but if you have already decided that you don't want to install Flash on your Macintosh, you probably wouldn't be tricked by this. The good news is that most of these bogus Flash updates are simply adware, rather than real malware. They don't do anything truly malicious, they just serve up ads, and they are pretty easy to remove with something like AdwareMedic or EtreCheck. And you can avoid a fake Flash installer by simply never updating Flash any way other than through Flash's System Preferences control panel (which can be set to automatic), or by downloading it directly from Adobe's Web site.

The thing is, the call to be "Flash-free" may be a bit premature for many folks. There are a ton of Web sites that still use Flash. (Turn off Flash and visit your favorite News site, and see what happens.)

harryb2448
05-25-2017, 05:45 PM
Thank you that is how I have read it with a lot of the 'scare' threads being quite out of date.

pm-r
05-25-2017, 07:31 PM
Thank you that is how I have read it with a lot of the 'scare' threads being quite out of date.


+1 agreed!!!!

And thanks for the post Randy. Maybe some "stamp out Flash" advocates could read and heed it and maybe learn something. :\

And a lot of things have changed and improved since Steve Jobs wrote his famous anti-Adobe-Flash piece. And yet, almost related, Apple still often ships new Macs with their mice configured to only work as a single-buttoned mouse, so some things seem to never change.





- Patrick
======

Randy B. Singer
05-26-2017, 12:04 AM
And thanks for the post Randy. Maybe some "stamp out Flash" advocates could read and heed it and maybe learn something.
======

Well, please don't get me wrong. I do think that Flash for multimedia on Web sites should be stamped out. In fact, it is very close to being there now. If you surf the Web on an iPhone or an iPad (neither of which support Flash), it's surprising how few sites one hits that actually require Flash. Just three years ago one encountered Web sites that couldn't do without Flash routinely. In fact, it's mainly because of the iPad that so many Web sites no longer require Flash. Just after the release of the iPad, pundits thought that iPads were going to mostly replace personal computers, and Webmasters rushed to update their Web sites.

But I don't think that Flash is a security risk at this point, and there are still plenty of Web sites that continue to require Flash. If you like the news, pron, or streaming movies, you probably should have Flash installed. I think that Flash is currently safe to use, and that one can continue to use it until there is no longer any need for it.

Also, I don't think that Flash is going to disappear entirely. Flash is used in a lot of programs for children, for instance, and I don't think that's going to change anytime soon. So don't look for Adobe to End Of Life Flash.

Randy B. Singer
05-26-2017, 12:11 AM
And yet, almost related, Apple still often ships new Macs with their mice configured to only work as a single-buttoned mouse, so some things seem to never change.

If you want to start a different thread on mice (i.e. pointing devices), I have a lot to say on the topic. I think that Apple's mice are an invitation to repetitive stress injuries. They look cool, but aren't ergonomic at all. I hear from folks all the time asking what to do about aching wrists due to using a mouse. Since my wife suffers from repetitive stress, we've tried a lot of different pointing devices and I can recommend some good ones.

pm-r
05-26-2017, 12:32 AM
If you want to start a different thread on mice (i.e. pointing devices), I have a lot to say on the topic.


No thanks, but I'll agree how bad Apple's mice are, at least for my use, and just leave it at that.

They just don't work well with my body due to some "body capacitance" or something I apparently don't have enough of.

My Logitech wireless USB M705 Marathon Mouse and a good quality mouse pad suits me just fine thanks and it's physical buttons work as expected and I don't have to breath on my fingers to provide some body moisture the Apple mouse may seemingly need in order to work. Besides they also have too much delay and lag if and when they might decide to work.

Anyway, enough about mice here…. :Smirk:




- Patrick
======