Why Flash Player Removal Should Be a PriorityAs Adobe Phases Out Support, Player Poses Even Greater Risks
Adobe Flash Player, which has been patched hundreds of times during its lifetime to address vulnerabilities, will no longer be supported with security updates after Dec. 31, potentially leaving an attack vector that can be exploited by malicious actors unless it’s removed.
That’s why eliminating all instances of Flash Player – even if they’re not currently in use - is extremely important, says Ben Carr, CISO at the security firm Qualys.
"Even dormant it can be an issue," Carr says. That’s because a Flash vulnerability can be activated in several ways, such as if someone visits a malicious website designed to exploit an unpatched flaw.
Organizations should be taking several critical steps now, security experts advise, including:
- Line up a replacement app;
- Run end-of-life checks on systems to find Flash;
- Make Flash removal a top priority;
- Avoid downloading Flash from third-party sites after Adobe removes Flash from its website.
Although removing Flash is relatively straightforward, figuring out if Flash is on systems can prove challenging, security experts say. That’s because the software - a browser plug-in used to stream and view video, audio and multimedia - has been active for more than 20 years and was not tracked by many companies when it was installed by employees.
Admins who have been diligent about security hygiene tasks have likely already removed Flash, Carr says. But others will need to “run an EOL check to see if it's installed," he says.
Gone in a Flash
Adobe announced in 2017 it would end support for its Flash Player at the end of 2020, ending 24 years of deployment to tens of millions of devices. The player has been widely slammed as posing a security risk because it’s been patched hundreds of times.
At the end of this year, Adobe will halt security updates and remove Flash as a download from its website. Although patches and updates will continue to be issued up until year’s end, Adobe warns against running Flash or opting to download it from a third-party site, pointing out that apps obtained elsewhere are a potential source of malware.
“Ignoring the end of service because the software in question still solves a particular business need simply isn’t prudent.”
— Ryan Seguin of Tenable
The company cites the general availability of other software platforms that perform the same tasks as Flash for its decision to phase it out.
"Open standards such as HTML5, WebGL, and WebAssembly have continually matured over the years and serve as viable alternatives for Flash content,” Adobe states. “Also, the major browser vendors are integrating these open standards into their browsers and deprecating most other plug-ins [such as Adobe Flash Player]."
Although Adobe provided early notice of its plans to phase out Flash, some users may not have yet made removal of the player a priority.
"It depends on how widespread the software is [in use at an organization] and whether there is a readily available - and hopefully free – alternative,” says Paul Bischoff, a privacy advocate with the security research firm Comparitech.
Bischoff points out several factors that could slow down how long it takes before Flash is fully removed from general use. "When it comes to Flash, I think a big factor will be how web browsers handle pages that use Flash. Will web pages with Flash be blocked entirely, or will users just get an alert?"
Starting the Process
Eliminating Flash Player should be a top priority, Bischoff stresses, because of the major risks it poses.
"Allowing Flash to run after the [end-of-life] date means inviting malware and other cyberattacks onto your devices and network, because Adobe will no longer issue patches for new vulnerabilities,” Bischoff says.
Many companies come up short when it comes to preparing for dealing with software that suppliers are no longer supporting, even if they get plenty of notice, Carr says. He points out, for example, that many organizations still use Windows 7 even though Microsoft stopped support on Jan. 14, 2020 (see: Windows 7: Microsoft Ceases Free Security Updates).
"Ignoring the end of service because the software in question still solves a particular business need simply isn’t prudent,” says Ryan Seguin, research engineer at cybersecurity firm Tenable. “This means you end up with situations where organizations need to reinvent some of their wheels because the new wheel is safer to use, even if it’s functionally the same.”
The removal of Flash could be a time-consuming project for IT admins depending upon how widely it’s used.
"If the company is hosting pages or apps with Flash, then it's just a matter of removing and replacing those pages and apps,” Bischoff says. “For staff members who might try to access Flash from their work device, make sure those devices and their apps, particularly web browsers, are updated."
The most significant issue for many organizations, however, might be finding an adequate replacement for Flash.
"Most vendors offer a newer version of their interfaces that don’t require Flash,” Sequin says. “If a particular vendor doesn’t have an upgrade or alternative, then organizations will need to invest in an actively supported equivalent."