For years, Flash Player has been a major vector for malware, and bogus Flash Player installers and updaters have served as Trojan horses to infect Macs and PCs. When there are vulnerabilities related to Flash Player, which happens often, it’s important to update your Flash Player plug-in—if you already have it on your Mac and are sure that you still need it.
But you may be wondering a few things, such as what the heck is a plug-in? How do you know if the version of Flash you have is the one that needs updating? And how can you make sure you’re as safe as possible when updating the software, given the constant flood of problems that are being reported? These are all valid concerns that we’ll clear up, putting your mind at ease when it comes time to update Adobe Flash Player.
Note that Adobe has announced that Flash Player will no longer be supported after December 31, 2020, and, while Flash Player content will not all disappear on that date, it has already become rare. So it’s fairly unlikely that you even need to use Flash Player anymore.
The safest way to view Flash content is to use Google’s Chrome browser, which has a built-in version of Flash Player, so you don’t have to worry about Flash updates. As long as you quit and restart your Chrome browser daily, the browser (and its embedded Flash Player) will automatically stay up to date.
But if you still want to use Flash Player, and want to ensure that you do so safely, read on.
What is a plug-in?
Let’s start with the basics. Plug-ins are software elements used by web browsers, often to display certain types of content such as Flash or Java. Sometimes these come with your operating system, but sometimes you have to add them when installing certain types of software. When it comes to plug-ins, it can be hard to know what you have installed or which version you have.
Adobe’s Flash Player was long one of the most popular plug-ins, used as a multi-platform tool to provide what is called “Active Content,” meaning it adds additional functionality to web pages for interactive or media-related capability. While Flash Player is due to be discontinued this year, and other technologies, such as HTML5, are used to provide the same type of content, you may still need to use Flash Player to view certain websites.
What’s the security concern with plug-ins?
Media designed to be viewed with Flash Player, or other platforms, can be embedded in web pages, and are accessible to users across all operating systems, which makes the software a popular attack vector for malware creators. For instance, it has been known for some time that Java is not particularly safe, but Flash has been so problematic that Apple stopped providing it with macOS. Steve Jobs penned a scathing open letter about Flash back in 2010, and this, along with the rise of iOS, which can’t run Flash Player, has contributed to its planned retirement.
Flash was not included on iOS, in part because of these security vulnerabilities, but also because of performance issues; Flash Player would use up the battery on an iPhone or iPad too quickly. Although this has helped decrease the options malware creators have for attacking iOS devices, Flash is still used on some websites, and users are often prompted to update their software.
Sometimes multiple updates to Flash Player can occur in the same month. Adobe notifies Flash users of new available updates by displaying a dialog. But when you see this type of dialog, how can you tell if the Flash update is valid or an attempt to install malware on your Mac?
How to verify which Flash version you have installed
The easiest way to check which version of Flash Player you have, and whether you need to update it, is to go to Adobe’s Flash Player Help web page.
You can also check in Safari by going to Safari > Preferences, then Websites. At the bottom of the left-hand column, you’ll see Plug-ins; if it is installed, Adobe Flash Player will show with its version number.
In Firefox, choose Firefox > Preferences, then click Extensions & Themes at the bottom of the sidebar. Flash Player is listed as Shockwave Flash; click this entry to see the exact version.
If you use Google Chrome, a version of Flash Player is included in the browser; you don’t have to worry about updates, because Chrome updates include updates to the plug-in. If you enter chrome://settings/content in Chrome’s address bar, you’ll find some Flash settings.
For other browsers, see Adobe’s Flash Player Help page.
How to know when you need to update Flash Player
First of all, if your browser has its own embedded Flash Player, then by updating your browser you’ll also update to the latest version of Flash Player. Google Chrome is the most popular browser that contains an embedded Flash Player, and it’s available for Mac, Windows, and Linux. Microsoft Edge also contains an embedded Flash Player, and it’s available for Mac and Windows; a Linux version is coming later in 2020. Note that for both of these browsers, Flash is actually disabled by default, and you can only enable it temporarily, so you’ll need to toggle a setting before you can use Flash content (see Google’s instructions for Chrome, or Microsoft’s instructions for Edge).
But if you’re using another browser that doesn’t have an embedded copy of Flash, and still supports plug-ins, you’ll need to update your Flash Player manually—and with caution—as detailed below.
As mentioned earlier, fake Flash Player updates have been used to install malware on both Macs and PCs. The best known example of a fake Flash update is the Flashback Trojan horse, which first masqueraded as a Flash Player installer package targeting Mac users. Over 600,000 Mac users installed the fake update to Adobe Flash thinking it was valid, thereby infecting their machines with malware.
And while Flashback was rampant nine years ago, a lot of recent malware has also attempted to masquerade as Flash Player installers, including many Shlayer variants.
It’s a very common trick to display dialogs that look like Flash Player update notifications, to trick people into downloading Trojan horses. If you see one of these, saying that your software is outdated and that you need to download and install a new version, you can check with Adobe to verify if an update is necessary. Go to Adobe’s Flash Player Help page, as mentioned above. If an update is available, it will tell you.
You can also check in System Preferences. Flash Player installs a preference pane; click it to see settings for the plug-in. If you click the Updates tab, you’ll see which version you have installed, and you can click Check Now to check for updates.
You may want to check Allow Adobe to install updates, which is more secure, but you run the risk of a problematic update being installed on your Mac. While it’s better sometimes to wait to ensure that updates are stable, with Flash Player it’s probably a good idea to get updates automatically, so you get them as soon as possible.
How to uninstall Flash Player
With all these worries about Flash Player, you might not want to bother with it. If you want to uninstall Flash Player, go to Adobe’s Uninstall Flash Player page for Mac or Windows. Download the uninstaller for your operating system, and run the uninstaller app. Most modern Macs will require the Flash uninstaller for macOS version 10.6 and later (direct download link), but Adobe also makes an uninstaller available for Mac OS X 10.4 and 10.5 (direct download link). There’s a single uninstaller for Windows (direct download link).
Why you should be careful with Flash Player updates
Malware authors will frequently employ tricky tactics to make malware look like something you should trust, so it’s important to get your updates only directly from the vendor that publishes them. You can head over to Adobe’s site for Flash Player updates, or, as mentioned above, update Flash Player through System Preferences. But in no case should you download a Flash Player updater from any other website.
It’s a good idea to always doubt the validity of automatic software update dialogs, especially those for Adobe Flash Player. When visiting a web page, if you are asked to install a program or plug-in on your computer, be very careful. There are legitimate reasons to do this, but in many cases these installations can be malicious. If you do want to install Flash Player, or any other plug-in, don’t download it from a random web page, and especially check your Downloads folder to see if an installer or disk image was downloaded automatically. (If you find any, delete them.)
With the number of security issues that have been associated with Flash Player, it is essential to keep this software up to date, as you should do with all your software. If you follow the instructions above, and only get your Flash Player updates for Adobe or have them installed via System Preferences, you’ll never again have to second guess the validity of a random Flash installer dialog.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s experts talk about important online safety, computer security, and privacy news, so be sure to subscribe to make sure you don’t miss any episodes. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news.