This post is intended primarily as a warning to all of you who work in IT. The end-of-life for Adobe Flash needs your attention if you work in IT. Failing to adequately address the problem can mean a disruption to year-end and year-start business in a few weeks and months. As such, we wanted to ensure our readers are aware.
With that out of the way, let me explain why I am raising alarm. While there is indeed a cromulent workaround for most of this problem, many enterprises probably will not implement that workaround until after things have broken. Those enterprises that do implement the workaround will probably step on their own feet a few times before they get it right. There are also a few gremlins that, at the moment, seem to have no easy workaround at all. This post is a public service announcement. I encourage you to make sure your company’s IT department is planning for this and, if you work in a customer-facing role, I suggest that you consider reaching out to your customers to ask if they are prepared.
What is the Problem?
Adobe Flash Player will reach its planned end of life on December 31st 2020 and, while most public websites long ago moved away from Flash-based content, a lot of enterprise software still relies on Flash (particularly older software). Making matters significantly worse, Adobe added a date-based check to outright disable Flash Player starting in January and the major web browser makers—Microsoft, Google and Mozilla — will each be updating their browsers to prevent the future use of the Flash Player plugin. Moreover, only Mozilla provides a public archive of old versions of its browser and Adobe removed its archive of previous Flash versions and will soon disable new downloads of Flash Player too. Microsoft has KB4577586 which is an attempt to start removing flash from Windows 10 as well. So where does this leave us?
- Many enterprises still need Flash Player to work for the foreseeable future
- Starting in January Flash Player will be broken by default
- The major browser makers will make it impossible to use Flash Player in all future versions of their browsers
- There may no longer be a reputable source from which to download Flash Player for free
Now imagine it is January and employees begin to return to work after the winter holidays. Half of your company’s IT staff are still on vacation and the year-end change freeze is still in place. Somebody from your team attempts to log on to a Flash-based enterprise tool and they get this:
Clicking on that image takes you here, but that page largely just tells us what we already know: Flash Player has reached the end of life and you should stop using it unless you want to buy a 3rd-party support contract from HARMAN. Unfortunately, your coworker needs to keep using Flash Player so they pick up the phone and call the technical support line for the software vendor to ask for a workaround. That software vendor will very likely tell your coworker that their only recommended “fix” is to upgrade to a more modern version of the software (one that no longer requires Flash), which of course would require time and budget—neither of which your team has, especially to get an urgent task completed. You can imagine the ensuing escalations to your own corporate IT team.
What do we do about it?
Adobe’s Flash Player Administration Guide thankfully tells us exactly how to work around 80% of the problem.
Step 1 Refer to page #41 (“mms.cfg file location”) to determine for your operating system and browser combination where the mms.cfg file is stored.
Step 2 Using a text editor copy the below content into the file (create the file if it does not exist):
Step 3 Uncomment the TraceOutputEcho and AllowListPreview properties. Then, using the “web console” developer tool available in your browser, add as many AllowListUrlPattern properties as needed to whitelist your internal IT tools that need Flash.
This is the basic method to solve some of the basic issues. We are, of course, doing a workaround here not addressing many of the security issues Adobe Flash has so be cognizant of this fact.
Here There Be Gremlins
Why does the above set of steps only solve 80% of the problem? Let us deal with one thing at a time:
- You still need a web browser that will be able to run the Flash Player plugin and the major browser manufacturers have announced they will actively prevent you from using Flash. If you have automatic updates enabled for your web browser—or if your corporate IT security policy forces automatic updates to be enabled—merely whitelisting URLs in Flash will do no good if the latest browser update removes compatibility with the plugin.
- Savvy users will have no trouble implementing the above configuration, but most average employees will need help to do this. Remember that half of your company’s IT staff will probably still be on winter vacation when Flash Player breaks. Who will answer the phone when hundreds of employees call the helpdesk and need to be coached on applying the workaround?
- Proactive companies may rely on their “end-user compute” teams to apply these settings globally using enterprise administration tools (ex: Active Directory Group Policy) but those have the potential to do as much harm as good. Consider the scenario where corporate IT applies a group policy setting every 15 minutes to whitelist https://*.foobar.com but your tool runs at https://10.0.0.2; every time the group policy is applied to your laptop it removes the whitelist you manually created.
- Suppose your team hires a new person in February and they need to install Flash Player to interact with your team’s tool; from where are they supposed to download Flash Player? Adobe no longer hosts a download page.
There is no perfect solution to the problem, and frankly that is precisely why the Flash end of life process has taken several years. The intent was for the industry to have enough time to upgrade enterprise software so that, by the time Flash Player reached the end of life, nobody would be using it. Alas, the best-laid plans sometimes do not work as intended and Q1 2020 could end up feeling much like Q1 2018 when Spectre/Meltdown kept the IT industry extremely busy.
Here is what you can do:
- Engage your corporate IT teams proactively to educate them on how this situation will impact your company
- Ensure that your corporate IT team’s plan regarding any group policy settings to enable/disable Flash Player take into consideration the nuances of how your company’s tools are deployed
- Example: group policy should probably be implemented to append AllowListUrlPattern items to the mms.cfg file instead of overwriting the file
- Example: your company’s IT Risk department probably needs to allow for exceptions to any enforced “default deny” policy
- Proactively work with your company’s software asset management team to ensure there is a plan to provide a trustworthy location from which employees can download Flash Player
- It is probably a bad outcome if employees resort to downloading the installer from a random Google search result
- If your corporate IT Risk department will not permit Flash Player to be run on user desktops/laptops then encourage them to allow operations teams to create “jump boxes” or “bastion hosts”— virtual machines which are firewalled off from the rest of the network that have an old web browser and Flash Player installed for the purpose of administering enterprise software
- Begin planning (and asking for the budget) to upgrade enterprise software that requires Flash Player so that it can be removed as soon as possible
- If you have not already, there are still a few weeks left to organize Adobe Flash hunts and find pockets within the enterprise that still utilize Adobe Flash. It may even be through 3rd party websites/ tools that have not updated that employees need to access
Remember, a good outcome is finding your organization is completely transitioned. A bad outcome is thinking your organization has transitioned but then critical year-end and year-start tasks are held up by users unable to access the tools they need, even if they are hosted elsewhere.
Adobe Flash is not merely reaching the end of support; the entire enterprise software industry is going out of its way to actively prevent it from being used going forward. You can refer to this Wikipedia page to learn more about the history of Flash’s problems but the most important thing to remember is that the industry wants Flash to disappear with urgency. I have provided workarounds above because I believe a good citizen should want to help companies avoid high-severity outages, but the simple fact is you really should not do any of the above. If you must resort to implementing the workaround, I encourage you to work with your IT Risk department to add this to the CIO scorecard so that it can be tracked by senior leadership. Please do not consider the above workaround as a permanent fix; it is a Band-Aid at best.
To our readers, it is certainly late to do any transitions, but there is still time to identify them and build mitigation plans before spoiling any year-end vacation plans with Adobe Flash Player retirement issues. We know some readers are using older hardware with embedded flash software still for functions such as management. So this equally applies to those situations as well. You do not want to urgently need to access management applications only to find that you cannot access Adobe Flash.