hoakley September 20, 2018 Macs, Technology

How XProtect now leaves Safari 12 open to Flash and other exploits

I mentioned yesterday in my overview of Safari 12 that Apple’s prolonged lack of updates to XProtect data files left this new version open to exploits of old versions of Adobe Flash Player. Here are more details.

XProtect has been responsible for a group of important security functions, among them ensuring that Internet Plug-Ins are kept up to date. Prior to March this year, updates to XProtect’s data files, specifically its XProtect.meta.plist file, specified the minimum version number of several widely-used third-party plugins, including those for Silverlight, Oracle Java Applets, and Adobe Flash Player.

Previously, you may well have experienced XProtect disabling one of those plugins when the installed version fell below that required in the latest XProtect data. Apple often kept the requirement for Flash Player, in particular, at or close to the latest release, to ensure that users were not exposed to its many vulnerabilities.

The last version of XProtect.meta.plist, 2099 pushed on 13 March 2018, set the following minimum versions for those plugins:

Silverlight Plugin: 5.1.41212.0
Oracle Java Applet Plugin: 1.8.51.16
Flash Player: 28.0.0.161

The current version of the Flash Player plugin is now 31.0.0.108.

flashversion

Because there have been no updates to XProtect data in the six months since version 2099 was pushed, Safari 12 and earlier are quite happy for you to use any version of Flash Player from 28.0.0.161 onwards. Although Safari 12 displays the version currently installed, it doesn’t draw the user’s attention to the fact that that may be months out of date, nor does XProtect block the use of such old versions, so long as they’re 28.0.0.161 or later.

It’s hard to know just how risky it is to still be using Adobe Flash Player 28.0.0.161, although it did at least patch one major vulnerability which was being exploited back in February of this year. According to one report, Flash Player 29.0.0.171 and earlier are vulnerable to a stack-based buffer overflow which can be used to execute arbitrary code, detailed in CVE-2018-5002, which is rated CRITICAL.

Among the many updates which Adobe has made to Flash Player since version 28.0.0.161 are its mitigations for Spectre and Meltdown, at least five vulnerabilities which can disclose information, rated as Important, and that Important vulnerability which could result in remote code execution.

Flash use is rapidly declining, but many Mac users still have old Flash Player plugins installed. It is thus easy to forget to keep those up to date. XProtect used to make us update, or it would disable the plugin; without updates to its data it has stopped doing that.

It is worrying that many users have already upgraded to Safari version 12 while they are still using old and vulnerable versions of the Flash Player plugin. As Mojave doesn’t appear to have changed XProtect’s reliance on its data files, many will also upgrade to Mojave blissfully ignorant of how vulnerable they remain to old Flash exploits.

Apple either needs to update XProtect’s data, or to provide an effective mechanism for enforcing protection from vulnerabilities in old browser plugins like Flash Player.

14Comments

Add yours

1

alvarnell on September 20, 2018 at 6:41 am

It is not unusual for Apple to fail to block Flash Player vulnerabilities until an exploit is found in-the-wild. I always read the Adobe Security Bulletins for each update to see what the macOS threat is and don’t recall having seen any that would demand blockage recently. That doesn’t mean that an exploit has been developed and deployed, of course, just that I haven’t read about it.

LikeLike
- 2
  
  hoakley on September 20, 2018 at 9:57 am
  
  Thanks, Al.
  So CVE-2018-5002 isn’t a significant consideration for Mac security? Although the report cited only refers to it being knowingly exploited on Windows, as far as I can see from Adobe and others, Flash Player for macOS was equally vulnerable before the update.
  Howard.
  
  LikeLike
  - 3
    
    alvarnell on September 21, 2018 at 4:54 am
    
    Apple doesn’t seem to be very upset about 3rd party vulnerabilities that haven’t been exploited. They have been known to act quite swiftly when informed of an in-the-wild Flash Player macOS threat, though.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on September 21, 2018 at 6:25 am
      
      I suppose that is consistent with the approach of XProtect and MRT in dealing with known and established malware, rather than trying to address the risk of novel malware. Maybe the rumoured new protection will be more predictive and less reactive?
      Howard.
      
      LikeLike
5

Metin on September 20, 2018 at 9:43 am

I have removed Flash from my Macs a year or so ago, and I haven’t missed even once. I can only recommend to remove it.

LikeLike
- 6
  
  hoakley on September 20, 2018 at 9:53 am
  
  If you can do so, I agree. But there are still plenty of people with Flash installed, and some of them do still need it for certain sites too. Shockingly, the UK educational sector has been very slow to migrate from almost total dependency on it: I’m not sure whether it has been cleaned from all sites yet.
  Howard.
  
  LikeLike
7

Tony on September 21, 2018 at 11:09 pm

I think you make a valid point about Flash. Having been through the pain/abuse of introducing a mechanism to force users to maintain a recent version of Flash (rather than reactively block known exploits), it’s a shame that Apple has let this slip.

I removed Flash from my Mac a couple of years ago and haven’t missed it. However, I know that a lot of educational software was produced using Flash and that market does move more slowly (for a variety of understandable reasons); that risk is likely real.

LikeLiked by 1 person
8

cade on September 22, 2018 at 1:27 am

just makes me want to say / once again: wtf apple??? getting old, Howard, getting old.

fyi: macintouch has similar discussion going about safari 12 and disabled extensions; one comment in particular: people will switch to other browsers if they/we can’t customize safari in a way that works for the user, not a forced narrow band imposed by apple. again: wtf apple?

LikeLiked by 1 person
- 9
  
  alvarnell on September 22, 2018 at 1:33 am
  
  Actually, Apple was behind Firefox by maybe a year in the matter of disabling problematic extensions. Most of this is related to extensive privacy concerns from users who are more than willing to give up customization in exchange for preventing data exhilaration.
  
  LikeLiked by 1 person
10

alvarnell on September 28, 2018 at 3:43 am

An updates to XProtect v2100 was posted at 2018-09-28T00:13:38Z. If you have enabled automatic updates, you should see them within 24 hours of that time.

The only change was to raise the minimum Flash Player plugin version to 31.0.0.108.

LikeLiked by 1 person
- 11
  
  hoakley on September 28, 2018 at 8:52 am
  
  Thank you, Al: noted, checked here, and I agree that it has augmented the Flash Player requirement.
  I’m afraid that I was asleep when Apple first started pushing the update!
  Howard.
  
  LikeLike
- 12
  
  Daalbeck on October 6, 2018 at 8:11 pm
  
  Question: does anyone know if it is possible somehow to restore v2099 from a time machine backup? v2100 seem to cause some issues on my side. The “normal” way does not seem to work – time machine says it cannot be replaced since it is currently used by MacOS.
  
  LikeLiked by 1 person
  - 13
    
    hoakley on October 6, 2018 at 8:36 pm
    
    I think that you’ll have to do that when booted from another volume, either an external drive or in Recovery mode.
    The only change between 2099 and 2100 is the change in the version of Flash Player required – everything else is identical. Perhaps those other issues are not due to the change in XProtect data?
    Howard.
    
    LikeLike
  - 14
    
    alvarnell on October 6, 2018 at 9:35 pm
    
    I am 100% with Howard that whatever issue you are having isn’t related to the latest XProtect unless you are running an old, vulnerable version of Flash Player. Don’t waste time trying to revert to 2099.
    
    LikeLiked by 1 person