17 Replies Latest reply on May 23, 2017 9:04 PM by damianm81962370

    Should a Flash Player installer image ever appear automatically on my Mac?

    xmlilley Level 1

      I'm running Mac OS 10.10.3, Chrome 43, Safari 8.0.6. I have Creative Cloud installed, and have Acrobat Pro, PS, Illustrator and some other tools installed. (Recently updated those to CC 2015, but not until after this situation arose.)

       

      Flash Player is installed. Flash Player Help says that I've got the latest on both Chrome and Safari. Which makes sense, as I had believed that Flash Player auto-updates itself. I have consciously permitted it to auto-update.

       

      But, I know that the 'Flash Player' identity is often used to induce people to install software they shouldn't install. I had believed that most of those risks were related to web-pages prompting downloads.

       

      And so, when a disk image recently appeared on my Mac, seemingly encouraging me to run the installer inside it, I'm worried, because it doesn't fit what I had heard about either safe or explicitly unsafe options. The disk image mounted itself without any involvement from me: I didn't request a download, and there were no dialogs asking if an update would be OK. It's called - logically enough - "Flash Player", and contains a file called "Install Adobe Flash Player". It first happened two weeks or so ago, and then again several days ago (June 24, my time). The first time, I simply closed the image. The second time, I grabbed a screen-capture at the time of what appeared:

       

      Voila_Capture 2015-06-24_19:04:36.png

       

      So, is this a legitimate pattern, to have a .dmg appear like this? When Flash Player says it's going to 'auto-update' does that mean it's just going to dump a disk image into my machine and wait for me to do the work? Is this image possibly a side-effect of a healthy, normal update, and it simply didn't clean up after itself?

       

      Now, I'm aware that there was recently a critical update to Flash Player. But, I seem to already have that latest, updated version already. Also, this first happened 2 weeks ago, then again. So, is this thing somehow part of the process of me getting normal updates, or... something else?

       

      (Since this is a community forum, I'll be explicit: have you yourself, dear reader, seen this exact behavior, and do you know for a fact that it's part of an approved and safe distribution? Opinions are wonderful, but what I really need are facts. Thank you!)

        • 1. Re: Should a Flash Player installer image ever appear automatically on my Mac?
          piyush2508 Adobe Employee

          Hi xmlilley,

           

          Autoupdate or silent update functionality does not mount any DMG to proceed with the update process, Are you sure the DMG was not mounted manually? Yes, we had a release to provide a security fix on June 23rd.


          Can you please perform the following steps to confirm if the Flash Player Installer popping up is legit and upload the screenshots(The specified item was not found.):

          1. Press Spacebar on the 'Install Adobe Flash Player' app in the DMG to view the version which is trying to be installed. This version should be 18.0.0.194
          2. Goto Spotlight --> Type Terminal, Press Enter --> inside Terminal type codesign -vvd and drag and drop the app on the terminal, so your query will be codesign -vvd <path to app>


          --

          Piyush

          • 2. Re: Should a Flash Player installer image ever appear automatically on my Mac?
            xmlilley Level 1

            Everything *looks* correct. But, no, I didn't do anything remotely related to downloading a new Flash installer that would explain how it would have been manually mounted. Not even once, let alone twice.

             

            Here's the 'GetInfo' on the installer:

            Voila_Capture 2015-06-29_20:30:39.png

             

            And here's the terminal output:

             

            Identifier=com.adobe.flashplayer.installmanager

            Format=bundle with Mach-O thin (i386)

            CodeDirectory v=20200 size=1280 flags=0x0(none) hashes=56+3 location=embedded

            Signature size=8524

            Authority=Developer ID Application: Adobe Systems, Inc.

            Authority=Developer ID Certification Authority

            Authority=Apple Root CA

            Timestamp=Jun 19, 2015, 12:48:46

            Info.plist entries=20

            TeamIdentifier=JQ525L2MZD

            Sealed Resources version=2 rules=12 files=38

            Internal requirements count=1 size=196


            ***********************************************


            On the surface, everything looks resonable. Except for why the image is appearing automagically without any intervention. That's the one thing that worries me, unless there's some good reason why an image would be downloaded and mount that way. Repeatedly.


            The one other thing that seems wrong is the branding. I just downloaded the official adobe installer and the Finder window for the mounted image looks like this, completely different from what I posted from the other image that mounted itself:

            Voila_Capture 2015-06-29_20:42:06.png

            • 3. Re: Should a Flash Player installer image ever appear automatically on my Mac?
              xmlilley Level 1

              One conspicuous difference versus the official one I just downloaded is the file size: the installer on the one I downloaded (AdobeFlashPlayer_18_a_install.dmg) is 2.2MB. The mysterious one is 16.6MB.

               

              Note, the odd file path in the 'GetInfo' image above is because I made a copy of the image, in case it disappeared, and did GetInfo on the copy. The original one disappeared after a restart, and there's no seemingly-related .dmg to be found.

              • 4. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                piyush2508 Adobe Employee

                The AdobeFlashPlayer_18_a_install.dmg is the official Online downloader which downloads and installs the Flash Player at runtime and the other one which is of ~17MB is our offline installer, but I am not sure weather this one has been downloaded from our webpages.

                 

                Can you also goto Flash Player Help Page to confirm if the latest Flash Player of the version 18.0.0.194 is installed on your system. I don't know how but you also have an offline installer downloaded on you machine and have have mounted the DMG which will pop up every time you log off and log on. If you fee suspicious about the DMG please go ahead, unmount and move this one to trash.

                 

                --

                Piyush

                • 5. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                  TAK Level 1

                  Thanks for your post. I have been experiencing this exact same problem.

                  I have

                  • Latest system 10.10.4, on a macbook pro 2011
                  • Latest versions of all adobe CC apps (but not all apps installed: Ps, Ai, Indd, acrobat and a few vide editing aps to name a few)
                  • Latest version of flash, installed from adobe website through their 1-2-3 step process only.
                  • Never downloaded Flash from any other source.

                  What i have to add is this:

                  This 'Shadow disk image' (or whatever it is), will appear randomly, but primarily after a system wake from sleep.

                  Sometimes MULTIPLE instances will appear on the desktop.

                  I have had this same behaviour on my work iMac (similar age as Macbook pro, similar specs,similar Adobe CC installation set)

                   

                  I also think this is a rogue application/malware.

                   

                  Next time i see it happen ill follow Pijyush's directions to post more relevant info, but thought it important to chime in here, cos i just noticed this weird disk image appear and again (i have yet to actually 'open' even the dmg that appears mounted on the desktop).

                   

                  It happened just now, and this is why i googled, and found ONLY THIS ONE THREAD, related to the issue. so it seems it is not yet well known about.

                   

                  Today 20/07/2015, I downloaded some update from adobe—illustrator.

                  finished my work, closed the laptop and left work.

                  Reopened the laptop a little later and find this disk image mounted on the desktop.

                  Trashed it

                  Thought this to be too common an occurance so decided to google.

                  • 6. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                    piyush2508 Adobe Employee

                    Hi TAK,

                     

                    The released version of Flash Player now is 18.0.0.203, if the build is older please unmount it and move it to trash.

                     

                    Thanks

                    Piyush

                    • 7. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                      xmlilley Level 1

                      Forgive me, Piyush. I'm grateful for your time and assistance, but I think you're missing the point by focusing on the version numbers...

                       

                      You said earlier:

                      Autoupdate or silent update functionality does not mount any DMG to proceed with the update process

                       

                      Yet, we've got mounted DMGs we're not requesting or interacting with, and which have some odd characteristics like unusual logos/branding. So, either:

                      1. there's some automatic feature you're not aware of, which is mounting legitimate Flash Player updaters that are behaving in an unexpected way that looks risky, or:
                      2. there is a new security vulnerability loose in the wild that is pretending to be a legitimate Flash Player updater. In which case, we really need to let people know about it.

                       

                      We need to know which it is: #1, or #2?

                       

                      Thank you for anything you can do to clear it up.

                      • 9. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                        piyush2508 Adobe Employee

                        Yes, In silent and autoupdate no disk is mounted in mac. What my guess is may be the CC or Illustrator or any other product your are installing or updating is also updating Flash Player along the way but using our offline installer, but is not unmounted later(this time) on the basis of set up environment mentioned above, but I am not sure.

                         

                        Regarding the Logo, Adobe has revamped itself in terms of branding in context of looks of all products, hence you will see the new dark maroon Flash Logo instead of the old red one, please verify the new logo from here --> (Adobe Flash Player Install for all versions)

                         

                        If you see any thing else suspicious about the installer please report it.

                         

                        At the end if you are not sure where this build came from please remove this installer from your system, As this mounted drive appears only if you are manually installing flash player using an offline installer.

                         

                        It is sure this did not come from any Flash Player Update Channel unless someone manually downloaded and launched the offline installer, which you have not done. So Please unmount and remove this from your system.

                         

                        Thanks

                        Piyush

                        • 10. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                          xmlilley Level 1

                          Is there a link direct to the full 'offline installer' so that we could compare it to this one?

                          • 11. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                            TAK Level 1

                            Follow the link in staff msg above: click install and you'll see the lates version number there: Version 18.0.0.203

                            • 13. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                              jlbang Level 1

                              This is happening to me as well. I swear I saw it awhile back, 6 months ago, a year ago? But it has come back now.

                               

                              It's not clear to me exactly how to gather the necessary info. If I can get it to appear again, exactly what should I do?

                              • 14. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                                dantaylr Level 1

                                I recently had this happen. An installer appeared on my desktop without warning. It happened once before and I trashed it but now I don't want to trash it until I know what caused it. "Get Info" doesn't reveal anything about the dmg and a quick spotlight search doesn't show me any dmgs that seem related to this.

                                 

                                I'm very confused where this came from. Any help on how to locate what created it? Adobe or Malware?

                                 

                                Screen Shot 2017-01-15 at 6.13.32 PM.png

                                • 15. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                                  joshr45633117 Level 1

                                  Happened to me today, same as described by others.

                                  I noticed the app icon (within the mounted image) is just the generic white app icon, as shown in the screenshot below.

                                  Screen Shot 2017-02-18 at 12.02.28 PM.png

                                  However the code signature looks OK:

                                   

                                  Authority=Developer ID Application: Adobe Systems, Inc.

                                  Authority=Developer ID Certification Authority

                                  Authority=Apple Root CA

                                  Timestamp=Jan 30, 2017, 3:34:07 PM

                                  Info.plist entries=21

                                  TeamIdentifier=JQ525L2MZD

                                  ...

                                  Running 'hdiutil info' shows the DMG path and that it was mounted by the root (system) user:

                                   

                                  image-path      : /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/decryptedFile.dmg

                                  ...

                                  mounting user   : root

                                   

                                  That whole folder (/var/folders/.../T) is owned by the root user, and its contents is listed below:

                                   

                                  drwx------  2 root  wheel        68 Feb 13 09:54 .AddressBookLocks

                                  drwx------  2 root  wheel        68 Feb 13 09:54 .CalendarLocks

                                  drwxr-xr-x  2 root  wheel        68 Feb 14 23:57 FPInstallMountPoint

                                  drwxr-xr-x  3 root  wheel       102 Feb 14 23:57 FPUnpackPath

                                  drwxr-xr-x  2 root  wheel        68 Feb 14 23:57 PKInstallSandboxTrash

                                  drwxr-xr-x  2 root  wheel        68 Feb 14 02:53 TemporaryItems

                                  drwx------@ 2 root  wheel        68 Feb 13 09:54 com.apple.ctkd

                                  drwxr-xr-x  2 root  wheel        68 Feb 13 09:54 com.apple.wdhelper

                                  -rw-r--r--@ 1 root  wheel  18954147 Feb 14 23:57 decryptedFile.dmg

                                  -rw-------  1 root  wheel       222 Feb 15 04:25 xcrun_db

                                   

                                  Searching the web for "PKInstallSandbox" shows it's apparently part of the macOS system updater, which would suggest this may be a staging directory for a system auto-update.

                                   

                                  It's conceivable that Apple has integrated a 'partial' auto-update system for Flash, that mounts the image, since its security updates are really important but not all users take the time to download it.

                                   

                                  If that's the case, Adobe may not be aware of such a system; Apple should be contacted to find out if this is indeed an OS feature or not. For now I'm just going to unmount it.

                                   

                                  I find it weird that there's be no accompanying notification/explanation for an unsolicited disk image.

                                  • 16. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                                    kevenlupien Level 1

                                    I just had 2 of these pop up today. One "Install Adobe Flash Player" and the other "Install Adobe Pepper Flash Player". Here's the Terminal info followed by screenshots.

                                     

                                    Install Adobe Flash Player

                                    Executable=/Volumes/Flash Player 1/Install Adobe Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager

                                    Identifier=com.adobe.flashplayer.installmanager

                                    Format=app bundle with Mach-O thin (i386)

                                    CodeDirectory v=20200 size=3680 flags=0x0(none) hashes=176+3 location=embedded

                                    Signature size=8574

                                    Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)

                                    Authority=Developer ID Certification Authority

                                    Authority=Apple Root CA

                                    Timestamp=Apr 27, 2017, 12:02:51 AM

                                    Info.plist entries=21

                                    TeamIdentifier=JQ525L2MZD

                                    Sealed Resources version=2 rules=12 files=38

                                    Internal requirements count=1 size=196

                                     

                                    Install Adobe Pepper Flash Player

                                    Executable=/Volumes/Flash Player/Install Adobe Pepper Flash Player.app/Contents/MacOS/Adobe Flash Player Install Manager

                                    Identifier=com.adobe.flashplayer.installmanager

                                    Format=app bundle with Mach-O thin (i386)

                                    CodeDirectory v=20200 size=3680 flags=0x0(none) hashes=176+3 location=embedded

                                    Signature size=8573

                                    Authority=Developer ID Application: Adobe Systems, Inc. (JQ525L2MZD)

                                    Authority=Developer ID Certification Authority

                                    Authority=Apple Root CA

                                    Timestamp=Apr 27, 2017, 12:13:33 AM

                                    Info.plist entries=21

                                    TeamIdentifier=JQ525L2MZD

                                    Sealed Resources version=2 rules=12 files=38

                                    Internal requirements count=1 size=196

                                     

                                    Screen Shot 2017-05-11 at 9.47.47 AM.pngScreen Shot 2017-05-11 at 9.47.59 AM.png

                                    • 17. Re: Should a Flash Player installer image ever appear automatically on my Mac?
                                      damianm81962370 Level 1

                                      This just happened to me, too.

                                       

                                      Here's specifically what happened:

                                       

                                      I was doing something on my MacBook completely unrelated to flash player. For some unknown reason, my computer froze (the clock stopped ticking; I don't remember what happened to the cursor).

                                       

                                      The screen then switched to the login screen. It did not restart. I logged back in, and it started all my apps up from scratch.

                                       

                                      At that point, on my desktop, appeared two disk images: "Install Adobe Flash Player" and "Install Adobe Pepper Flash Player."

                                       

                                      I immediately suspected they were malware, so I ejected them. I then emptied my trash, and saw that two items were deleted therefrom. I didn't (unfortunately) examine said items, before deleting them, but I'm guessing they were the unmounted disk images.

                                       

                                      I then opened system preferences, clicked on "flash player," and confirmed that my NPAPI and PPAPI plug-ins are up to date.