/build/static/layout/Breadcrumb_cap_w.png

Apple, XProtect and Flash

Starting with MacOS X 10.6 Apple has included a piece of anti-malware software known as XProtect. XProtect works by blocking certain plugins from running in Safari and has recently been the cause of Java not working for many MacOS users. Unfortunately Apple does not do a good job of notifying users why a plugin was disabled and they either just get a notice that the plugin was blocked or that they need to install a newer version. Most recently, Apple has now required that Flash Player be the most recent version (11.5.502.149 as of this writing). If your KBOX has not received that version of Flash Player for patching then even if your computers have been updated with patching, then your users will be affected by XProtect blocking older versions of the plugin. 

I have put a few things in place to determine versions of Flash Player and XProtect on our systems:

1. Custom inventory rule showing Flash Player version:
I couldn't seem to determine the version of Flash Player installed on our MacOS systems in the inventory so I added a software item with the following custom inventory rule:
PlistValueReturn(/Library/Internet Plug-Ins/Flash Player.plugin/Contents/version.plist, CFBundleShortVersionString, TEXT)

2. Custom inventory rule showing XProtect version and last updated date:
XProtect isn't actually an application so it doesn't show up in the Inventory. It does have a plist file that we can use to get the version, however. The following rule shows the version and when it was last updated:
PlistValueReturn(/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, Version, NUMBER) AND PlistValueReturn(/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, LastModification, TEXT)

Using these two fields you should be able to create a report showing machines that have XProtect that has been updated since February 7th, 2013 (when Apple updated to needing Flash Player  11.5.502.149) and have a version of Flash that is lower than that. 

Some additional notes on XProtect:

XProtect updates itself daily, as far as I can tell by looking at it's LaunchDaemon plist file.

Here are a couple of good posts talking about XProtect:
http://security.thejoshmeister.com/2011/11/how-to-update-apples-safe-downloads.html
http://managingosx.wordpress.com/2013/01/31/disabled-java-plugins-xprotect-updater/

The second one includes a script that changes the XProtect settings to allow older versions of Java and also disables XProtect from updating itself. 


Comments

This post is locked
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ