A world without Adobe Flash

In not-so-loving memory of Adobe Flash.

At the beginning of 2021, Adobe Flash officially ceased to exist. Some fans of old browser-based games got misty, but most infosec experts breathed a sigh of relief as the world got ready to live without the distinguished but now dead technology.

Is the world ready, though? It turns out that not everyone switched to other tools despite years of advance notice from Adobe. Moreover, some techno-necromancers began to invent ways to raise the technology from the grave. Now, forty days after shutdown, we take a look at how the world is coping (or not) without Adobe Flash.

A railroad in Dalian

Exactly what happened in January, on a railway line in Dalian, China, is disputed. Accounts of the severity of the incident differ, but all agree on one thing: The end of Flash-based content caused the malfunction. Despite the official date on the death certificate, January 1, Adobe added a grace period, giving users 11 more days to bid Flash farewell. Why anyone, on January 12, would still find themselves reliant on Flash, is frankly beyond rational comprehension, but on that day, some of Dalian’s rail systems were still using the platform.

Whether Flash directly caused travel disruption and exactly what systems were involved are disputed, and not really the point. Media mentioned dispatching and ticketing issues. Officials essentially denied the problem. Whatever the case, the tech support team pulled out all the stops and ultimately got Adobe Flash working on the computers at stations along the line, returning the systems to operation. Adobe Flash is now up and running, and everything is back to normal as far as that goes.

From an information security perspective, the achievement is hardly praiseworthy. A piece of critical infrastructure is now using (albeit for noncritical tasks) a technology known to be outdated.

A separate but related point is that many large companies roll out their updates piecemeal because good practice dictates testing updates by starting with machines in an isolated test environment. Maybe the Dalian railroad applied that practice — we don’t know. The problem in this case is that update protocols aren’t the problem here. Adobe didn’t update Flash on January 12, it killed Flash. The kill switch was coded in a long time ago, before the last update (which was on December 8). A patch would have performed fine in any test environment, in fact.

Perhaps, in hindsight, embedding a delayed kill switch is not the best practice for shutting down such a widely used technology.

A tax office in South Africa

The South African Revenue Service is responsible for tax collection in the country, and many returns are now submitted online. On January 12, the revenue service suddenly realized its Web forms were built on Adobe Flash.

Rather than extend the deadline for filing tax returns and recode the forms based on a newer technology, the revenue service decided to release a custom browser with Adobe Flash support. Now, South African taxpayers must use unsupported technology to submit sensitive financial information.

The South African government didn’t create a browser from scratch. It used a stripped-down version of Chromium that provides access to only one website. As a stop-gap measure, it’s not life-threatening, but we don’t know about the department’s plans for keeping its browser up to date.

The program currently exists only for Windows, so users of other operating systems will have to look for alternative ways to run Flash content, which is risky. We hope the fix is temporary and the agency ultimately ditches Flash.

Workarounds

Alternative ways to run Flash do exist. Worse, they are in demand, and not only among fans of Flash-based games. Some fairly major companies still rely on the technology for some services (most often internal ones). Search for “how to run Flash after 2021” and you will find a bunch of links with instructions that, to be clear, you should not follow.

For example, one option is to install a pre-kill-switch version of Flash Player. Although Adobe removed links to old versions of the program from its website, unofficial sites offer them. That’s troubling from the jump because using old versions of any software is risky, but downloading software from unofficial sites adds even more risk — who knows what unscrupulous actors might have added to the installation package?

Some people have posted versions of instructions for neutralizing the built-in kill switch, enabling the display of some Flash content.

Other tips seem to make a bit more sense. For example, several browser extensions are based on Ruffle, a Flash Player emulator that uses modern browser sandboxing technologies. In addition, Ruffle was written in the Rust language, whose memory safety basis neutralizes common Flash problems and vulnerabilities, according to Ruffle’s creators.

Sounds pretty great. However, bear in mind that Ruffle is an open-source project maintained by enthusiasts. Whether enthusiasm will be enough remains to be seen. Ruffle may well harbor vulnerabilities of its own, and someone may fix them when the time comes.

Specialized B2B solutions have also appeared. For example, Harman signed an exclusive deal with Adobe to build and support custom browsers with Flash enabled for companies that are not ready to part with the player.

What to do if you still need Flash

If life without the technology seems unbearable, we suggest following these tips:

  • Think again. Now, try updating your Web content, instead;
  • Use a virtual environment to run old versions and makeshift workarounds — and only if you must;
  • Install a security solution to detect attempts at vulnerability exploitation, even if you’re using a workaround that seems safe.
Tips