How to determine if a Flash update notification is legitimate
Flash update notifications may show up when you are browsing the Web, and it may be nearly impossible to determine if they are legitimate or lures to get you to install malware.
Adobe Flash Player and Reader are some of the most popular Web plug-ins, and as a result malware developers commonly use them as a disguise for their programs. The recent Flashback malware is one example of this, where it originally was released as a fake update to Adobe Flash, and thereby confused a number of Mac users who installed it thinking it was a legitimate update they needed.
In order to notify Flash and Reader users of available updates, Adobe's software will display a notice regarding the availability of the new software; however, if you see such a notice then how will you know the update is legitimate or an attempt to install malware?
To the keen eye, sometimes it is relatively easy to spot a fake installer, based on how the installer file is packaged (such as being distributed in a ZIP file as opposed to a DMG image), or how it looks. This can be anything such as being a generic orange installer package instead of having Adobe icons, or once opened having it contain typos, misaligned interface elements, and other nuanced details that distinguish it from the real thing.
At other times, identifying a fake may be a bit harder. In recent coverage of the Flashback variants over the past few months, you can see how easily fake Flash installers can look like the real thing ().
Such determinations may take a keen eye at times, especially since malware developers quickly change these elements and thereby make them impossible to reliably describe for identification. Therefore, if you are browsing the Web and see a notice pop up about the need to update Reader, there are several things you can do.
- Do not trust it
Immediately be skeptical of any automatic software update, especially those for Flash or Reader. Instead of accepting it and downloading the update, check the interface for any apparent typos or grammar errors, and if found, then close it down. Additionally, check online by simply doing a Google search (or more accurately visiting Adobe's support site) to see if any updates have been recently issued.
- Standalone application
Adobe's updates are automatically distributed via utilities such as Update Adobe Flash Player, which are run from the Adobe Flash Player Install Manager program that is installed when you install Flash or Reader. To see if this program is what is running, right-click the installer icon in the Dock and select the option to show it in the Finder.
If the program is in your downloads folder, or somewhere in your user account, then do not trust it and throw it out. However, if it is in the /Applications or /Applications/Utilities/ folder, then it suggests the program is legitimate, since installing to these locations would first require a username and password (as is needed when installing Flash for the first time).
- Quit your browser
Often malware will be presented as a download from within a specially crafted browser window that displays a Web page which is intended to look like a program running on your system. If you see a notice to install Flash, and then quit your Web browser and the notice goes away, then this is a good indication that it is not legitimate and is likely an attempt to lure you into downloading malicious software.
If you observe these three steps when dealing with an automatic update window that suddenly appears, you should be able to better avoid malware attempts on your system.
As a final note, the easiest method by far for avoiding malware attempts when updating your programs (any software, and not just Adobe's) is to avoid the automatic update solutions altogether. Instead, enable them to notify you when an update is available, and then only download the update directly from the developer. By doing this you will be sure the software you download is legitimate and up-to-date. In the case of Adobe's products, you can easily get them from the following Web pages: