4 Replies Latest reply: Apr 5, 2012 1:12 PM by etresoft
EastCoastFan Level 1 Level 1

I've just heard via the BBC:




that there is a fake flash upgrade doing the rounds.


It came up on my IMac today - before I read the BBC article!, I tried to download it and it appeared to download then stated that it couldn't download.


So I don't know if my IMac is infected or not.


Apple seem to refer:




to newer computers than mine.


Does anyone have a clue re this?  I'd appreciate some advice!

iMac, Mac OS X (10.5.8)
  • etresoft Level 7 Level 7

    The Apple media frenzy du-jour is actually unrelated to fake Flash installers. Plus, the report of half a million infected machines is just a made up number that is impossible to verify. When Apple news spikes, everyone wants a share of that advertsing traffic for themeselves.


    If you are really worried, and I wouldn't be, you can verify by running Terminal.app and typing:

    cat -/.MacOSX/environment.plist


    That file shouldn't exist for most people and it shouldn't have anything about DYLD_INSERT_LIBRARIES.


    Unfortunately, the legitimate Flash update script is indistinguishable from a fake one. If you that dialog, cancel it, and then download a Flash update directly from Adobe.

  • MrHoffman Level 6 Level 6

    Of course there are fake Adobe Flash updaters.  There have been fake updaters for years. 


    There are and have been fake LinkedIn mailings.  There are fake AT&T bills with big numbers. 


    Fake iWork software for download.  


    Fake CODECs and fake video players. 


    And this is before you get to bugs in the real Adobe Flash and bugs in Java and bugs in Safari and other software found on OS X.


    This is nothing new.


    Security is an on-going requirement.


    This means complete backups, multiple ("deep") copies (as backup media can fail), and preferably disconnected.  Your backups are one of the easiest and best paths to recovery when your system is breached, and preferably a copy of the backup that predates the breach, and has been kept offline.


    Using proper passwords and/or certificates, of course. 


    On all users that can log into your systems. 


    On your gateway router and firewall.


    Not downloading "codecs" or "players" from any site other than the original source of the tool. 


    There are a number of download sites around, and various of those sites are busily optimizing themselves to the top of Google search results.  Downloading tools from sources other than from the original producer or from producer-designated sites can have additional risk; you're not necessarily getting (just) what you expect.  If you didn't go looking for the tool yourself, do not download it.  With OS X, look to use the Mac App Store as your source.


    Don't click on links embedded in mail you've received, even if it looks to be a trusted source.  This includes social media messages received via mail, including LinkedIn mail and AT&T bills, etc.


    This means ensuring you have proper firewall and VPN configurations, as well as checking your logs.


    Maintaining current versions of Java, Safari and Adobe Flash Player, as well as other installed software.  Verifying that any web-facing tools you're using (client or server) are current.


    Disabling the automatic opening of "safe" files, and disabling Java access in the browser (or not installing it), and disabling (or removing) Adobe Flash Player, are all normal and expected practice, here.


    As for your original question (and the download is for Java and not Adobe Flash Player), there's a Terminal.app sequence that's been posted by F.Secure to investigate whether your OS X clients have been infested by the so-called OSX/Flashback.K malware.  It's definitely a little arcane, if you're not familiar with Terminal.


    This Java stuff and the various Adobe Flash Player malware is far from the first Mac malware that's been around, and it certainly won't be the last.

  • etresoft Level 7 Level 7

    Sorry about my old eyes and old iPad. This is what you should type and then see:


    user227-135:~ jdaniel$ cat ~/.MacOSX/environment.plist

    cat: /Users/jdaniel/.MacOSX/environment.plist: No such file or directory