Flash is dead, but not gone

January 12 Just after 8:15 a.m. local time, computers began to malfunction at the Dalian Railway Operations Depot in northeast China. The dispatcher’s navigators were not loading the details of the train schedules. Six hours later, dispatchers also lost the ability to print train data from the web application. According to the account of the deposit on Weibo and WeChat, and a follow-up post a few days later, the system flashed for 20 hours before IT staff finally stabilized it. The culprit seems to have been a seismic, but not unforeseen, change on the Internet: the death of Adobe Flash Player.

At the end of 2020, Adobe completely ended support for its infamous but nostalgic media platform. On January 12, Adobe took things a step further, triggering a kill switch it had been distributing in Flash Updates for months that prevented content from running in the player – essentially rendering the software inoperable. The company had warned against the transition for years, as browsers like Chrome and Firefox gradually pushed users to other standards. Apple has spent a full decade trying to wean web developers off Flash. But organizations like the Dalian Depot did not receive the memo. Frenzied employees ended up hacking older versions of the software and even modifying them to run on all different versions of Windows to stabilize the system.

“More than twenty hours of combat. No one complained. No one gave up. By solving the Flash problem, we turned the glimmer of hope into fuel for advancement, ”officials wrote in a post-mortem, as translated by reporter Tony Lin.

The Dalian Depot incident is testament to the reality that The Flash is not really dead yet and will persist intact – and sometimes unbeknownst to anyone – in networks around the world. Mainland China is the only region in the world where Flash will still be officially available through a distributor that Adobe partnered with in 2018. But some users have complained about issues with the dedicated Chinese version of the program and have found workarounds. to continue using the standard version. editing.

After decades of abuse by hackers, especially those who run “malicious” adware, Flash installations – whether forgotten or intentionally maintained – could expose networks for years to come. Versions of the software that haven’t been updated recently don’t have a kill switch inside, after all. And since Adobe no longer supports the software, there will be no more security patches for any new Flash vulnerabilities that are discovered.

“Flash Player can remain on your system unless you uninstall it,” Adobe explains in an FAQ. “Adobe has blocked Flash content from running in Flash Player as of January 12, 2021, and major browser vendors have disabled and will continue to disable Flash Player. To run after the EOL date.”

In October, Microsoft also released an optional update for Windows 8 and later that removes the built-in version of Flash from the operating system.

Despite this multi-pronged strategy, some installations will persist. In addition to the risk that organizations will not update their software, Adobe’s latest version of Flash included a special enterprise feature that allows network administrators to essentially override the kill switch and put Flash functions on a list. “to allow”. “Any use of the authorization list at the domain level… is strongly discouraged, will not be supported by Adobe and is entirely at the user’s own risk,” the company says.

Even organizations that uninstall Flash from desktop will also have to worry about browser versions if they don’t update them regularly. For systems that don’t or can’t receive updates easily, these two Flash Player locations can mean double the exposure.