Apple Safari users who have been holding out on the latest Adobe Flash Player update now have little choice in the matter.
In order to address security vulnerabilities, Apple is now blocking older versions of Adobe Flash Player in its proprietary Safari Web browser. (Google Chrome and Mozilla Firefox are not affected.)
However, Apple's recommended solution could actually expose users to malware in the form of fake Flash Player updates. Fortunately, there's a workaround.
Until users install the latest version of Flash Player, a common plug-in for videos and browser-based games, they will be unable to access any content — for example, YouTube — that makes use of it.
When Safari users who don't have the latest version of Flash Player installed navigate to a website that needs it, they'll see a gray screen with a "Blocked Plug-In" warning.
This notification prompts users to download and install the latest version of the plug-in, effectively withholding content until they comply.
Flash! Ahh ahh
Exploiting weaknesses in Adobe Flash Player is one of the most common ways for hackers to get hold of users’ personally identifiable information.
Adobe regularly updates Flash Player to stay one step ahead of would-be information thieves. This process requires some user participation as well. In this case, Apple has adopted a fairly heavy-handed approach to ensure consumer compliance.
The idea underlying the decision is simple enough: The newest version of Flash "[helps] protect users from a recent vulnerability," according to Apple's own support document. Requiring updated Flash will help keep user complaints (and their subsequent escalation to tech support) to a minimum.
Apple allows a grace period of two days before Safari starts blocking content for users with outdated plug-ins. Then Mac OS X's built-in malware protection program, Xprotect, prevents Safari users from accessing Flash until they download the latest update.
Still, Apple's solution brings its own problems.
First, Apple tells users to respond to the out-of-date alert kicked up by the blocked plug-in warning, and to press the "Download Flash…" button included in the alert in order to upgrade.
That's a big no-no. Such fake Flash Player alert boxes with embedded links are used by cybercriminals to lure unwary users to install malware on their computers.
It wouldn't take much for a hacker to rig up a fake blocked-Flash alert with a link that went to a fake Adobe site, and in fact similar scams have plagued Mac users in the past.
Instead of clicking on the alert box, users should go to get.adobe.com/flashplayer/ for the latest version.
The second issue affects developers. Each new version of Flash brings subtle changes in the program’s code and performance. Videos, games and applications that run on Flash are usually optimized for a certain version of the program.
An update will rarely hamper functionality from a user side, but may affect how a developer continues to update his or her creation. By restricting the versions of Flash usable on Safari, Apple likewise restricts the fine control that developers have over their work.
To check which version of Flash you have installed, use Safari to browse to www.adobe.com/software/flash/about . Alternatively, just try to access a page that runs on Flash YouTube is always a good bet) and wait for the prompt.