Malware for macOS, another reason to avoid Adobe Flash!

There's not a single reason that anyone should be installing Adobe Flash on their machine, if you absolutely need to use Flash for a website then consider using the Flash that comes bundled with Chrome. If the website complains that the version of Flash is not new enough, I think it's time to move on from that website.

A new malware that has been around for a long time in the Windows world has recently jumped over to the macOS world. This one is sneaky since this particular Adobe Flash Installer zip file contains a legitimate copy of Flash installer and while installing that, it also installs the backdoor covertly.

If, despite all reason, you absolutely need Adobe Flash, then only download it directly from Adobe's site. However, realize that Adobe itself has stopped working on Flash and is strongly suggesting getting away from it.

Read more: https://9to5mac.com/2017/05/05/windows-backdoor-malware-disguises-itself-as-adobe-flash-on-macos/

Thanks Ashwin, I haven't had Adobe flash installed for a long time. I avoid Flash sights altogether.

I say where's McBie?

Ah ... Harry, I just found this thread

Flash should die ..... swiftly and with style.

Flash and Java are the worst nightmare when it comes to vulnerabilities and threats.
I tried silver bullets and all that but somehow, ( for a reason that is beyond me ) Flash is still alive.

Otherwise ... I love Adobe.

Hold on a second here ..... is this true ?

Raz0rEdge said:

... However, realize that Adobe itself has stopped working on Flash and is strongly suggesting getting away from it./

Click to expand...

Maybe my prayers have been heard

Cheers ... McBie

McBie said:

Hold on a second here ..... is this true ?

Maybe my prayers have been heard

Cheers ... McBie

Click to expand...

Yeah when Apple completely went away from it a couple of years back, Adobe threw the towel in and said yes Flash is a resource hog and has security issues and no we aren't going to fix any of it, so stop using it..to paraphrase, of course

Flash is esxzential for those of us running educational programs alas. Time you came up with an alternative McBie

For mine problems only come about when folks do not update via System Preferences or allowing Adobe to do automatic updates.

harryb2448 said:

Flash is esxzential for those of us running educational programs alas. Time you came up with an alternative McBie
.

Click to expand...

In terms of " alternatives " , I can only speak for myself and I have been Flash and Java free for a long time now. Not missing it at all.
I have not even bothered looking for alternatives. If I stumble across Flash based content, I immediately skip it. Don't need it and I don't want it.

I do understand that there is still a lot of Flash enabled solutions being used that will be hard to replace.

For me, Flash should die, swiftly and .......

Cheers ... McBie

I believe Adobe Flash came installed with my new Mac because I don't remember installing it. When I come upon a website that needs Flash, Safari warns me if I want to enable Flash. When I look up Adobe Flash on Spotlight search I get "Adobe Flash Player Management Uninstaller". With all the reports on Adobe Flash, I don't want it installed on the Mac. Is that the proper way to uninstall Adobe Flash from the "Adobe Flash Player Management Uninstaller" that I'm seeing?

Yes, use the uninstall routine that comes with the Adobe Flash Player. If for some reason you need to access a site that uses Flash, switch your browser to Chrome temporarily to view that site. Chrome has its own version of Flash built in which is safe to use.

Thank you chscag, Uninstalling now. Good to know about Chrome.

iosAppDevDream said:

Honestly. IMHO, there is zero trust that there is no or little malware for macs. I believe more malware experts are trained in windows than mac.

If you google malware forums, you will find numerous malware forums dedicated to windows.

Since the user base for OS X is so small compared to windows, sure, most people may probably just target windows, but, this also means less testers for OS x, so it could just be that more zero days exist for os x which just not have been discovered yet. Less malware detected does not mean there actually is less malware for macs !

I can see more people targeting vulnerabilites in java and flash now, to ensure all OS's are covered.

Click to expand...

Which is why, some users here, myself included, recommend using a Standard User account, and only using an Admin User account when needed.

iosAppDevDream said:

Does it really make a difference though ?

Bcuz the admin's account could still possibly be extracted. Whether logged in or not.

Click to expand...

Not sure I understand what you mean.
Can you elaborate a bit more please ?
I am always interested to learn something new.

Cheers ... McBie

I don't understand what is meant by, "admin account could still possibly be extracted"?

And for those you need to use Flash, the latest version has just been released - 25.0.0.171

Ian

Raz0rEdge said:

There's not a single reason that anyone should be installing Adobe Flash on their machine, if you absolutely need to use Flash for a website then consider using the Flash that comes bundled with Chrome. If the website complains that the version of Flash is not new enough, I think it's time to move on from that website.

A new malware that has been around for a long time in the Windows world has recently jumped over to the macOS world. This one is sneaky since this particular Adobe Flash Installer zip file contains a legitimate copy of Flash installer and while installing that, it also installs the backdoor covertly.

If, despite all reason, you absolutely need Adobe Flash, then only download it directly from Adobe's site. However, realize that Adobe itself has stopped working on Flash and is strongly suggesting getting away from it.

Read more: https://9to5mac.com/2017/05/05/windows-backdoor-malware-disguises-itself-as-adobe-flash-on-macos/

Click to expand...

Quote from the referenced link...

Having used a valid developer’s certificate, the malware was set to run free on macOS even with Gatekeeper enabled.

Click to expand...

I don't intend to stand up for Flash, quite the opposite, but...

This malware had been made possible by exploiting the developer's certificate and not Flash in itself. This is on Apple, who manages the developers' certificate and they let this one slide by.

You could name any other programs on the macOS that could also be exploited by a valid developer's certificate.

Again, I am not protecting Flash here and does deserve to die, but this malware is not one of the reason...

ferrarr said:

Which is why, some users here, myself included, recommend using a Standard User account, and only using an Admin User account when needed.

Click to expand...

When the software, like Flash, requires admin user account and password, logging in with a standard user account is little use. The OS will prompt the end user to enter the admin account credentials. If the malware is any good, it'll capture the admin credentials as they are entered right then.

That's not to say I disagree with you about logging in with standard user account. Quite the opposite, On my system, I do it regardless if it is macOS, Windows, or Linux. I also set up my clients with Mac on the same way. However, doing so provides limited protection since it is bypassed by the end user if and when software is installed...

Good point about using a Standard account. It's OK to use it but as noted, an admin password is required to do certain installations and updates. And any malware that wants to be installed has to go thru an admin which means entering the password anyway.

Using a standard account in Windows is good procedure but I'm not so sure it's really needed when running OS X.

chscag said:

Using a standard account in Windows is good procedure but I'm not so sure it's really needed when running OS X.

Click to expand...

In my view, standard account is a good practice on both platform...

The user account control will pop up on both platforms, if and when admin account credentials are required. This is a nag, especially at the time the end user knowingly installs software. On the other hand, if and when malware downloaded through the browser and tries to install itself, at least the pop up will be an alert for the end user. This will take place regardless, if the standard or admin account logged in. The difference is that, if the admin is logged in and the pop up is suppressed, the malware can continue installing itself. While I doubt that there's a malware that would suppress the pop up on the macOS, there are number of them on the Windows platform. As more and more malware converted for macOS, including the suppressing account control pop up will make its way there too.

Just my opinion on the subject...

Angel Knockoff said:

Just wondered bcuz the 2016 mbp is so ludicrously expensive, despite the removal of a SD card and USB-C slots and magsafe!

Click to expand...

Using United States pricing. I would agree that the 2016 13" MBP has increased quite a bit vs. earlier releases. I would disagree about the 2016 15" MBP being more expensive...it's actually less expensive than the previous four 15" MBP releases.

- Entry Level 13" 2016 MBP = $1799
- Entry Level 13" 2015 MBP = $1299
- Entry Level 13" 2014 MBP = $1299
- Entry Level 13" 2013 MBP = $1299

- Entry Level 15" 2016 MBP with dual graphics = $2399
- Entry Level 15" 2015 MBP with dual graphics = $2499
- Entry Level 15" 2014 MBP with dual graphics = $2499
- Entry Level 15" 2013 MBP with dual graphics = $2599
- Entry Level 15" 2012 MBP with dual graphics = $2599

In either case...I'm not sure I would use the term "ludicrously expensive". There are numbers a lot larger than these. "Ludicrously Expensive" (to me) for a 13" MBP would be something like $50,000! lol

- Nick

pigoo3 said:

Using United States pricing. I would agree that the 2016 13" MBP has increased quite a bit vs. earlier releases. I would disagree about the 2016 15" MBP being more expensive...it's actually less expensive than the previous four 15" MBP releases.

- Entry Level 13" 2016 MBP = $1799
- Entry Level 13" 2015 MBP = $1299
- Entry Level 13" 2014 MBP = $1299
- Entry Level 13" 2013 MBP = $1299

- Entry Level 15" 2016 MBP with dual graphics = $2399
- Entry Level 15" 2015 MBP with dual graphics = $2499
- Entry Level 15" 2014 MBP with dual graphics = $2499
- Entry Level 15" 2013 MBP with dual graphics = $2599
- Entry Level 15" 2012 MBP with dual graphics = $2599

In either case...I'm not sure I would use the term "ludicrously expensive". There are numbers a lot larger than these. "Ludicrously Expensive" (to me) for a 13" MBP would be something like $50,000! lol

- Nick

Click to expand...

I've purchased my 2013 MBP for US$1,499.00 at the end of 2013, the price difference was due to extending the memory to 8GB and 256GB PCIe-based Flash Storage. There was no Windows based laptops that had PCIe storage option and not many with the SSD option back in 2013. The latter one had been more expensive than the MBP by anywhere between $300-500, for the same or 512GB storage, depending on the OEM. While I did not want a MBP, the PCIe storage made my decision easier. That, and I had some clients lining up, who had Macs.

Fast forward to 2016, and to some extent to 2017, where the MBP didn't receive much hardware improvement, if any. The price increase of 500 bucks for the 13" with touch bar is not justified in my view ("Ludicrously Expensive"), other than paying the Apple-tax. At the same time, OEMs, did catch up with Apple. Windows laptop hardware with PCIe storage option in addition to touch screen, similar to my 2013 MCP, can be had for ~1,200 bucks (US $). I am not certain what Apple intends to do with the MBP, other than pricing the MBP out of the market. I for one rather get a Windpows laptop with similare hard for less, much less...