14 DAY TRIAL // As the Flash Player browser plugin has come to be the most targeted component in web-based attacks, Apple has taken the decision to block content displayed in Safari with out-of-date versions of Adobe’s product.
Starting Wednesday, trying to view Flash content in Safari with other versions of Flash Player than the latest one triggers an alert signaling the outdated and insecure state of the plugin, and the necessity to update it.
Older Flash can still be used, but process is annoying for the average Joe
The notification comes under different messages (“Blocked plug-in,” “Flash Security Alert,” or “Flash out-of-date”), and clicking on it shows the following information:
“The version of this plug-in on your computer does not include the latest security updates and is blocked. To continue using ‘Adobe Flash Player’ download an update from Adobe.”
To make things easier on the user, there is a button available for accessing the web page with instructions on how to get the newest revision of the software, Apple's advisory notes.
However, as some users may need older variants of Flash, Apple allows using them via the Internet plug-in management feature included in Safari. This permits enabling the plugin each time a website requiring it is accessed, thus allowing users to decide on their own if the web page requiring Flash can be trusted or not.
Such a scenario is not intended for the average user, who would resolve to update Flash rather than have to deal with alerts every time they land on a website, but for researchers and developers.
Flash plugin is the most frequent target of web-based attack tools
Blocking outdated Flash is aimed at reducing the risk of malware infection via drive-by attacks leveraging vulnerabilities in the package. Users often delay applying the latest update available and expose themselves to cyber-attacks.
In a blog post this week, security researchers at FireEye reported a malicious campaign that exploited CVE-2015-0359, a vulnerability in Flash patched by Adobe about two weeks ago, in an update that addressed a total of 18 security holes.
The exploit code was delivered by Angler exploit kit and the payload downloaded was Bedep Trojan, a piece of malware designed for click-fraud activity that can also funnel in other threats on the infected computer.
Drive-by attacks carried out via malicious code injected on legitimate sites via malvertising or direct hacking have increased lately, an unpatched Flash Player being the browser component most frequently targeted by the cybercriminals.