Suspected Fake Flash Player Installer download from Real Adobe Website - MacOS--

Informe · Feb 08, 2020

I recently noticed a major change in the behavior of my Adobe Flash Player Installer. It WAS downloaded from the Adobe Website. I am concerned that I am somehow being redirected from the legitimate Adobe download site to a bogus download server. I am concerned that I now have a malware infection.

The problem developed after I responded to what seemed like a legitimate screen notice that my Flash Player was outdated and needed to be updated. I did not update from that notification window. I instead closed that window, then I directly accessed the Adobe Home Page, from where I linked to: https://get.adobe.com/flashplayer/. I have always updated directly in this manner.

I am on a Mac. Running OS 10.14.6 after recently upgrading from OS 10.12.6.

Since December 2018, I had been using the flash player installer for Version 32 for the Mac which downloads from the Get Adobe Flashplayer website: "AdobeFlashPlayer_32_ast_install.dmg"

The path to that file was: (viewing file with Mac "GetInfo" command)

https://get.adobe.com/flashplayer/download/?installer=FP_32_Mac_for_Safari_and_Firefox_-_NPAPI&os=OS...

https://admdownload.adobe.com/bin/live/AdobeFlashPlayer_32_ast_install.dmg,

Recently after upgrading to OS 10.14.6, I was prompted to update Flash to the most current version (32.0.0.321). I ran my existing "AdobeFlashPlayer_32_ast_install.dmg" installer, but it would not work. So I went back to the "https://get.adobe.com/flashplayer/" webpage and downloaded a new installer assuming the installer needed updating.

The new installer download from Adobe was labeled: "install_flash_player_osx.dmg".

The different format of the file name was concerning, but I rechecked that I was on the correct Adobe website (not a fake) and viewed the file path for the download. It was different, but seemed legitimate:

https://get.adobe.com/flashplayer/download/?installer=FP_32_Mac_for_Safari_and_Firefox_-_NPAPI&stype...

https://fpdownload.adobe.com/get/flashplayer/pdc/32.0.0.314/install_flash_player_osx.dmg

Note: the older file downloaded from "https://admdownload.adobe.com" and the newer installer downloaded from "https://fpdownload.adobe.com"

I started getting concerned however when I launched the new installer. Using "install_flash_player_osx.dmg", the text, sequence of steps, the download bars and graphic designs were considerably different from all prior install experiences, Some screenshots:

This last "Update preferences" graphic was most alarming. The design is so different from prior installs

Another difference is that the previous Flash Verison 32 installer ("AdobeFlashPlayer_32_ast_install.dmg") is only 803KB in size. The most recent installer ("install_flash_player_osx.dmg") is 14.5MB in size.

Another difference: I own multiple Macs and the install behavior for Flash 32.0.0.321 was different on my other Macs. For computers running 10.12.6, the "AdobeFlashPlayer_32_ast_install.dmg" installer downloads from Adobe. On my Mac running 10.14.6 (which I believe is now infected,) the "install_flash_player_osx.dmg" installer downloads from the same Adobe webpage.

On the 10.14.6 Mac, it looks like I am being redirected each time I land on the "https://get.adobe.com/flashplayer/" download page. The redirection occurs immediately after the page loads. The URL at the top of the pate does not change, but the "Install Now" button (which appears linked to the "AdobeFlashPlayer_32_ast_install.dmg" installer) will switch immediately from a "Install Now" button to a "Download now" button linked to the different, larger "install_flash_player_osx.dmg" installer.

On my 10.14.6 mac, the page loads like this:

...then changes to this: The "Install" button changes to a "Download" button linked to a different server.

The redirection does not happen on my Macs running 10.12.6. I can still downolad the "AdobeFlashPlayer_32_ast_install.dmg" installer. And again, the installation process is very different.

Can someone from Adobe advise whether both installers are legitimate? Is the redirection normal? Are the different installers and install behavior required for the different operating systems? And have I somehow downloaded a fake installer that needs to be removed? Do I have malware? What should I do next?

Thank you for reading through all of this. I would appreciate your help.

Informe · Feb 10, 2020

Looks normal enough to me. Screen shots 1 and 3 especially are a normal result of changing security requirements in macOS, in more recent systems than your older one. You are, however, wise to be very cautious, Flash installers are being used on a huge scale to attack systems.

Informe · Feb 10, 2020

Hi,

Thank you for the detailed message and screenshots.

Can someone from Adobe advise whether both installers are legitimate?  Is the redirection normal? Are the different installers and install behavior required for the different operating systems?   And have I somehow downloaded a fake installer that needs to be removed?  Do I have malware?  What should I do next?

The installer your getting from fpdownload.adobe.com server is legitimate. The smaller size file is the online shim installer, that downloads and installs Flash Player silently in the background. The larger size file is the full installer. Both are legitimate and no, the installers downloaded from adobe.com servers do not have malware.

--

Maria

Informe · Feb 11, 2020

We have a set of "online" shim installers that are small and grab the payload in the background, and "offline" installers with the full payload. Both file sizes seem about right, but file sizes aren't a useful indicator of integrity or authenticity.

I'm also getting the 14.5MB installer when I download Flash Player using Safari on MacOS 10.15.3. The current version is Flash Player 32.0.0.330 (we just updated). I pulled the 32.0.0.321 bits down from the archive page and if you still have the suspect file, my values should probably match yours. (The file is named a little different in the archive of old versions, which you'll see in the output below, but it should be the same bits.)

When I validate the code signature, I see that the signature is valid and signed by Adobe. This guarantees that the binary was unmodified, that Adobe published it, and in this instance, that Apple issued the signing key to Adobe.

me@machine 32_0_r0_321 % codesign -dv --verbose=4 flashplayer32_0r0_321_mac.dmg

Executable=/Users/me/Downloads/fp_32/32_0_r0_321/flashplayer32_0r0_321_mac.dmg

Identifier=Install Adobe Flash Player 32

Format=disk image

CodeDirectory v=20200 size=317 flags=0x0(none) hashes=1+6 location=embedded

Hash type=sha256 size=32

CandidateCDHash sha256=ff321f4ee2cc05255373f0d9b4cc10084b68a104

CandidateCDHashFull sha256=ff321f4ee2cc05255373f0d9b4cc10084b68a1046bfda46e626ff18e36134f73

Hash choices=sha256

CMSDigest=ff321f4ee2cc05255373f0d9b4cc10084b68a1046bfda46e626ff18e36134f73

CMSDigestType=2

Page size=none

CDHash=ff321f4ee2cc05255373f0d9b4cc10084b68a104

Signature size=8976

Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Timestamp=Jan 12, 2020 at 4:35:15 PM

Info.plist=not bound

TeamIdentifier=JQ525L2MZD

Sealed Resources=none

Internal requirements count=1 size=192

For what it's worth, we have a really strict set of controls and defense-in-depth measures in place to ensure that only legitimate files get pushed to our servers (more accurately, to thousands of nodes across a global content distribution network), and we continuously scan those individual servers to ensure that the only things that are there match what we expect to be there. It's a responsibility that we take very seriously and we've made huge investments in people and technology to ensure that our distribution services are trustworthy.

Hope that helps!

Suspected Fake Flash Player Installer download from Real Adobe Website - MacOS--

1 respuesta correcta