updated 12:03 am EDT, Fri July 11, 2014
Latest version for Snow Leopard and higher now required for Flash to work
Following an emergency patch issued by Adobe yesterday for a vulnerability in Flash Player and Adobe AIR that the company deemed "critical" for users to upgrade to, Apple is now blocking all un-upgraded versions of the plug-in in Safari, though the warning dialog will take users to the Flash Installer page where they can obtain the patched version. Users of OS X 10.6 and higher must be running version 220.127.116.11 in order for the Flash plug-in to work normally. Windows and Linux users are also affected by the flaw.
The issue revolves around a bug in Flash that could allow hackers to read data from browsers after users visit popular websites where Flash writes cookie data. The cookies themselves are not compromised, but the website retains the data in a flawed manner that hackers could collect after a user visits, compromising the sites themselves. Among the sites affected were Twitter, Tumblr, eBay, Instagram and many others.
Users who use Google Chrome do not have to manually update the plug-in for that browser, as it is automatically updated. Even if the Flash plug-in is disabled, users should still upgrade to the latest version, as applications that rely on Adobe AIR are also affected by the flaw.
The few remaining pre-Snow Leopard users are advised to check Adobe's Flash page for version 18.104.22.168, which should allow the browser to operate. The more recent v14.x update is available for OS X 10.6 and later, and Windows XP and later. The newest version for Linux is 22.214.171.124, which also contains the emergency patch.
While no known instances of attacks using this vector have been seen "in the wild," Apple and Adobe considered the flaw serious enough to (respectively) block older versions of the plug-in and strongly advise users to upgrade. Adobe has been working with major websites to protect from attacks on the website end, as the flaw could conceivably allow attackers to take control of some sites.
Users with out-of-date Flash plug-ins will be met with a message saying, "Blocked plug-in," "Flash Security Alert" or "Flash out-of-date" when attempting to access Flash content in Safari, notes AppleInsider. The vulnerability was first discovered by Google engineer Michele Spagnuolo, and extends to previous versions of Flash as well (apart from the updated 126.96.36.199 version mentioned earlier).