Gone in a Flash

No one should be using the dead technology, and any websites that still use it need an update.

Once ubiquitous, used for playing multimedia content, producing animated banners and browser games, and more, Adobe Flash became obsolete over time and was superseded by newer technologies. Many content creators continued to use the familiar platform, though, so both Adobe and browser makers kept up their support. But nothing lives forever, and product support finally ended on January 1, 2021. Browsers will no longer display any remaining Flash content.

Why security specialists have long disliked Flash

Flash content is essentially little programs downloaded to users’ computers and executed by Adobe’s Flash Player. Consequently, Flash Player, which was present on virtually every device with Internet access, quickly found itself in cybercriminals’ crosshairs. After all, executing code on a victim’s computer is essentially a cybercriminal’s dream.

As a result, vulnerabilities of varying severity were found — and exploited — in Flash Player regularly. The vulnerabilities involved the use of scripts from third-party sites, interception of clipboard contents, execution of arbitrary code, and more. Over the course of its life, Flash Player demonstrated more than 1,000 vulnerabilities.

Flash’s remarkable popularity proved dangerous as well. Any website could require a user to update Flash before viewing website content. In most cases, that prompt was appropriate — but one side effect was that it accustomed many users to seeing and obeying such prompts. Sometimes, they got an updated version of legitimate software, but in other cases, they were downloading a malware bundle. Despite Flash’s dwindling usage in recent years, some cybercriminals continued to exploit the hoax.

In response, and more than a decade ago, many security experts began to recommend discontinuing the use of Flash technology. Corporate network administrators and users disabled Flash in browser settings. And until last December, Adobe continued to monitor the security of Flash Player and close newly detected vulnerabilities.

What is changing in 2021?

By declaring Flash dead, Adobe committed to stop fixing it. Any new vulnerabilities will remain open.

What’s more, modern browsers will automatically block Flash content, displaying a placeholder in its stead. Particularly persistent users may be redirected either to the browser’s help page or to the relevant section of the Adobe website for more information.

What should website owners do?

If you are still deliberately using Flash content, you have to understand that no one is likely to see it anymore. Switch ongoing projects to a more modern option and think about updating old content.

Even if you think you’re Flash-free, audit your websites to make sure you’ve purged any interactive components that use the technology — say, an embedded video from another website. Companies tend to support old pages and projects simply to minimize error messages, but where Flash is involved, it’s best to bite the bullet.

Flash content error messages are not a very big deal, but they’re also not great; the potential consequences are nothing but negative. Some users might just get annoyed with your company, but others might try installing older versions of browsers or Flash Player, exposing themselves to a variety of problems.

What should users do?

Remove the Flash plugin from your browser if you have not done so already, and forget about that technology for good. From here on out, if you see a placeholder for Flash content that your browser cannot display, you probably do not want to be on that website: Either the creators have long since abandoned the project or they are negligent — or they’re out to harm users.