I mentioned yesterday in my overview of Safari 12 that Apple’s prolonged lack of updates to XProtect data files left this new version open to exploits of old versions of Adobe Flash Player. Here are more details.
XProtect has been responsible for a group of important security functions, among them ensuring that Internet Plug-Ins are kept up to date. Prior to March this year, updates to XProtect’s data files, specifically its XProtect.meta.plist file, specified the minimum version number of several widely-used third-party plugins, including those for Silverlight, Oracle Java Applets, and Adobe Flash Player.
Previously, you may well have experienced XProtect disabling one of those plugins when the installed version fell below that required in the latest XProtect data. Apple often kept the requirement for Flash Player, in particular, at or close to the latest release, to ensure that users were not exposed to its many vulnerabilities.
The last version of XProtect.meta.plist, 2099 pushed on 13 March 2018, set the following minimum versions for those plugins:
- Silverlight Plugin: 5.1.41212.0
- Oracle Java Applet Plugin: 220.127.116.11
- Flash Player: 18.104.22.168
The current version of the Flash Player plugin is now 22.214.171.124.
Because there have been no updates to XProtect data in the six months since version 2099 was pushed, Safari 12 and earlier are quite happy for you to use any version of Flash Player from 126.96.36.199 onwards. Although Safari 12 displays the version currently installed, it doesn’t draw the user’s attention to the fact that that may be months out of date, nor does XProtect block the use of such old versions, so long as they’re 188.8.131.52 or later.
It’s hard to know just how risky it is to still be using Adobe Flash Player 184.108.40.206, although it did at least patch one major vulnerability which was being exploited back in February of this year. According to one report, Flash Player 220.127.116.11 and earlier are vulnerable to a stack-based buffer overflow which can be used to execute arbitrary code, detailed in CVE-2018-5002, which is rated CRITICAL.
Among the many updates which Adobe has made to Flash Player since version 18.104.22.168 are its mitigations for Spectre and Meltdown, at least five vulnerabilities which can disclose information, rated as Important, and that Important vulnerability which could result in remote code execution.
Flash use is rapidly declining, but many Mac users still have old Flash Player plugins installed. It is thus easy to forget to keep those up to date. XProtect used to make us update, or it would disable the plugin; without updates to its data it has stopped doing that.
It is worrying that many users have already upgraded to Safari version 12 while they are still using old and vulnerable versions of the Flash Player plugin. As Mojave doesn’t appear to have changed XProtect’s reliance on its data files, many will also upgrade to Mojave blissfully ignorant of how vulnerable they remain to old Flash exploits.
Apple either needs to update XProtect’s data, or to provide an effective mechanism for enforcing protection from vulnerabilities in old browser plugins like Flash Player.