OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Critical Flash vulnerability exploited and fixed!

Published February 7th, 2013 at 10:20 PM EST , modified February 7th, 2013 at 10:20 PM EST

Adobe announced today the release of a Flash Player update, fixing a vulnerability that they say is being exploited “in the wild” to drop malware on Macs. To cite an important portion of Adobe’s announcement, “Adobe is […] aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform.”

This indicates that Adobe is aware that some sites are hosting malicious Flash content that is causing malware to be downloaded and installed as a “drive-by download.” If this is in fact the case, this means that malware is being installed without any requirement for user interaction. It is unclear at this time what malware is being installed. Time will tell whether this is simply a new delivery method for some existing piece of malware, as was the case with the Flashback malware, or if the first new Mac malware of 2013 has just made its appearance.

Mac users with Flash installed should immediately update to the latest version, which is 11.5.502.149. If you do not have Flash installed (it is not installed by default), you have nothing to fear. (If you are not sure whether you have Flash installed, look for a Flash icon in the System Preferences app. If there isn’t one there, you don’t have Flash installed.)

Those reading this who also use Windows, or have friends who use Windows, should know that the same vulnerability is also being exploited on that system, making this update equally critical for Windows machines.

Tags: , ,

22 Comments

  • Gerard says:

    Thanks for the warning. Following you on Twitter to stay informed.

  • Someone says:

    Would you happen to know how to tell whether you have Flash on a PC?

  • Someone says:

    Thanks!

    Oh, and why exactly do you need Flash anyway? I don’t have it on my MacBook Air, and I’m fine without it…

  • Logan Smith says:

    Apple, using XProtect has disabled all versions of Adobe Flash (except for the latest version with the security fix)

  • Colstan says:

    Thank you for the alert, Thomas. I haven’t had Flash installed on my Mac for over a year and don’t miss it. When Apple stopped shipping it with Lion, I dropped it as well. Other than a handful of videos that won’t play without Flash, I haven’t had a prompt for using it. Since this appears to be something that has been already exploited, it shows that keeping Flash updated won’t necessarily keep you safe. Java has been getting a lot of attention lately, but this is a reminder that Flash continues to be a substantial target.

    I’m of the belief that if the only reason you use Flash is for playing simple games or watching pointless videos, then it isn’t worth the security risk and should be uninstalled, or better yet, never installed to begin with.

    Yes, there are alternatives such as using a two-browser solution, but the sooner Flash (and Java) dies the better. Apple was wise to decouple these insecure technologies from OS X and I think it would be equally wise for Mac users to eliminate them from their daily use, unless they have no other choice. It’s also good to see that Apple is cracking down on insecure versions through their XProtect security feature.

  • Someone says:

    You’re preaching to the choir, Colstan. Hear, hear!!

  • Steve B. says:

    Thanks for the heads up, Thomas! Unfortunately, I use eIBD newspaper, which relies on Flash, so I have it installed.

    When I go to the System Preferences, and click on the Flash icon, I notice that I see 3 settings under “Local Storage Settings:”

    1. Allow sites to save information on this computer
    2. Ask me before allowing new sites to save information on this computer
    3. Block all sites from storing information on this computer

    First, is the the “legitimate” form of this “information” a Flash Cookie?

    Second, if you were to select either option 2 or 3 from the above, would it prevent the drive-by Malware attack from occurring?

    I’m just trying to figure out if there’s any way I can tweak my system to be more hardened…

  • Steve B. says:

    BTW, how would we know if we’ve been infected by the malware?

    • Thomas says:

      No idea what malware is being installed on vulnerable machines at this point. I’m trying to find out, but at this point it’s still a bit of a mystery.

  • Steve B. says:

    Another question:

    Don’t you require Flash Player to view YouTube videos?

  • Al Varnell says:

    I’ve tracked the alert for CVE-2013-0634 back to Kaspersky, but nothing about it on their blog site yet .

  • Al Varnell says:

    [Sorry, delete the above, wrong reference, as that is the other Windows exploit.]

    The source for CVE-2013-0634 is listed as:

    * Steven Adair of the Shadowserver Foundation
    * W of the Shadowserver Foundation
    * MITRE
    * Lockheed Martin Computer Incident Response Team

    We may never know much more about this one.

  • aalien says:

    First it’s a little sad that sites such as youtube does not exploit html5 and exclude flash players or at least give a option to user to choose between the two.

    Secondly Safari (or any other browser and op) should have an option to not load any content automatically… For instance there could be a button (next to the adrees bar) to activate flash player (in this case) whenever the user want with just a click…

    To conclude I’m happy with apple because the browser automatically deactivated the flash player for me and noticed me that it was outdated BUT it actually doesn’t mean I hadn’t been infected because while the bug existed there wasn’t an updated and safari would keep using the explotied version “in the wild”…

    I really must confess that I ALWAYS hated Flash and Java… and this feelings are hunting me for years now! There’s simply better option for web development, I think!

    Anyway thanks fro the feedback again! 😉

  • Someone says:

    Something folks should know about Flash: you don’t need it if you use Chrome. I love Chrome, and it runs websites w/o downloading Flash (or using Java)

    Cheers!!

  • Darren Kehrer says:

    I noticed that FP put another update out today…wow, that was really, really fast

  • Someone says:

    Thomas: Seriously? Aw, shoot! So I’m just as vulnerable…

  • John says:

    FP must be reading your blogs Thomas as another update came through yesterday 16/2/13 : Plug-in version 11.6.602.167.
    I also wanted to thankyou for your valuable information regarding Mac security etc which has proven invaluable . I am aware of the enormous amount of your time you must give to provide this information for free and not wanting to appear inappropriate but I would like to make a humble contribution to your work if that is acceptable.
    Cheers,
    John

  • aalien says:

    Someone: In Chrome in the address bar type “chrome://plugins/”…
    Then you can enable or disable flash player only when need. You can even save that address as a bookmark bar for fast access as I do…

    I always have it disabled, when I need it I simply press the bookmark address and enable it in seconds…

  • Someone says:

    Thanks, aalien! God, why doesn’t Google tell you that stuff?

This post is more than 90 days old and has been locked. No further comments are allowed.