Flash Is Dead—but Not Gone
On January 12, just after 8:15 am local time, computers started to malfunction at the Dalian Train Operation Depot in northeast China. The dispatcher’s browsers weren’t loading train schedule details. Six hours later, dispatchers also lost the ability to print train data from the web app. According to the depot’s account on Weibo and WeChat, and a follow up post a couple of days later, the system flickered on and off for 20 hours before IT staff finally stabilized it. The culprit appears to have been a seismic, but not unforeseen, shift on the internet: the death of Adobe Flash Player.
As 2020 came to a close, Adobe fully ended support for its infamous yet nostalgia-laced multimedia platform. On January 12, Adobe took things a step further, triggering a kill switch it had been distributing in Flash updates for months that blocks content from running in the player—essentially rendering the software inoperable. The company had warned about the transition for years, while browsers like Chrome and Firefox gradually nudged users toward other standards. Apple spent a full decade attempting to wean web developers off of Flash. But organizations like the Dalian Depot didn’t get the memo. Frantic staffers ended up pirating old versions of the software, even modifying them to run on all different versions of Windows to stabilize the system.
“Twenty-plus hours of fight. No one complained. No one gave up. In solving the Flash problem, we turned the glimpse of hope into the fuel for advancement,” officials wrote in a post mortem, as translated by journalist Tony Lin.
The Dalian Depot incident speaks to the reality that Flash is not really dead yet, and will persist untouched—and sometimes unbeknownst to anyone—in networks around the world. Mainland China is the only region of the world where Flash will still be officially available through a distributor that Adobe partnered with in 2018. But some users have complained about problems with the dedicated Chinese version of the program and have found workarounds to keep using the regular edition.
After decades of abuse by hackers, particularly those running “malvertising” ad schemes, Flash installations—whether forgotten or intentionally maintained—could expose networks for years to come. Versions of the software that haven’t been updated recently don’t have the kill switch inside, after all. And because Adobe isn’t supporting the software anymore, there won’t be security patches for any new Flash vulnerabilities that come to light.
“Flash Player may remain on your system unless you uninstall it,” Adobe says in an FAQ. “Adobe blocked Flash content from running in Flash Player beginning January 12, 2021, and the major browser vendors have disabled and will continue to disable Flash Player from running after the EOL Date.”
In October, Microsoft also released an optional update for Windows 8 and above that removes the operating system’s built-in version of Flash.
In spite of this multipronged strategy, though, some installations will persist. On top of the risk that organizations won’t update their software, Adobe’s last release of Flash included a special enterprise feature that lets network administrators essentially override the kill switch and place Flash functions on an “allow” list. “Any use of the domain-level allow list … is strongly discouraged, will not be supported by Adobe, and is entirely at the user’s own risk,” the company says.
Even organizations that uninstall desktop Flash will also need to worry about the browser versions if they aren’t updating those regularly. For systems that don’t or can’t receive updates easily, these two locations of Flash Player can mean double the exposure.