As a follow-up to my earlier post about managing XProtect’s ability to block Java browser plug-ins , a Mac admin named scifiman sent me a launchdaemon and script to manage Adobe Flash using a similar method. Thanks, scifiman!
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.company.xprotect_re-enable_adobe_flash</string> <key>ProgramArguments</key> <array> <string>sh</string> <string>/Library/Scripts/xprotect_re-enable_adobe_flash.sh</string> </array> <key>QueueDirectories</key> <array/> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>900</integer> <key>WatchPaths</key> <array/> </dict> </plist>
#!/bin/sh
# This script is a modified version of rtrouton's re-enable_java_6_and_7 script.
# This script will check the current Adobe Flash browser plug-in
# version and compare it against the minimum version allowed by
# Apple's XProtect malware protection. If the minimum Flash version
# allowed by XProtect does not allow the current version of the Flash
# browser plug-in on the Mac, the script will alter the Mac's
# /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
# file to set the minimum version allowed to match the current version
# of the Mac's Flash browser plug-in. This allows the Mac's current Flash
# browser plug-in to run in Safari without being blocked.
#
# Original script is from here:
# https://gist.github.com/scifiman/5109047
#
osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
# javaVendor=`/usr/bin/defaults read "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Info" CFBundleIdentifier`
CURRENT_FLASH_BUILD=`/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Library/Internet\ Plug-Ins/Flash\ Player.plugin/Contents/Info.plist`
XPROTECT_FLASH_BUILD=`/usr/libexec/PlistBuddy -c "print :PlugInBlacklist:10:com.macromedia.Flash\ Player.plugin:MinimumPlugInBundleVersion" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist`
#
# Check to see if Xprotect is blocking Adobe's Flash browser plug-in and re-enable the plug-in if needed.
# Changes in this section are from Pepijn Bruienne's re-enable_java_6 script: https://github.com/bruienne
#
if [[ -e /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist ]]; then
if [ ${CURRENT_FLASH_BUILD} != ${XPROTECT_FLASH_BUILD} ]; then
/usr/bin/logger "Current Flash build (${CURRENT_FLASH_BUILD}) does not match the minimum build required by Xprotect (${XPROTECT_FLASH_BUILD}). Setting current version as the minimum build."
/usr/libexec/PlistBuddy -c "Set :PlugInBlacklist:10:com.macromedia.Flash\ Player.plugin:MinimumPlugInBundleVersion $CURRENT_FLASH_BUILD" /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/usr/bin/plutil -convert xml1 /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
/bin/chmod a+r /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist
else
/usr/bin/logger "Current Flash build is ${CURRENT_FLASH_BUILD} and Xprotect minimum build is ${XPROTECT_FLASH_BUILD}, nothing to do here."
fi
fi
exit 0
The script has been tested on 10.6.8, 10.7.5 and 10.8.2, so it should cover all current OSs that use Apple’s XProtect malware protection.
Scifiman’s original gist is available here:
https://gist.github.com/scifiman/5109047
I’m hosting a copy of the script and launchdaemon here on my GitHub repo:
