Adobe Ends Flash Support in 2020
The news that Adobe has finally set a date to discontinue support for their Flash multimedia platform will come to some as good news and as an impending deadline to others.
The news that Adobe will stop supporting Flash by the end of 2020 means more work for many IT departments. They have to determine which corporate assets – websites and applications still depend on flash and what needs to be done to update them to something else.
For IT security staffs, however, the phasing out of Flash is very good news. Flash is inherently insecure, even though it’s undergone many revisions and patches throughout the years. The Flash player itself is a nearly irresistible target for hackers, and it provides a wealth of entry points for malware of all sorts. Even Flash updates have been targeted by hackers, who spoof (fake) a Flash update to get the user to unwittingly install malware on their computer.
Dealing with Flash Will Differ with Each Company’s Situation
The size of the problem depends on what platform or platforms the Enterprise supports. For example, for enterprises with large iOS and Mac OSX install bases, much of the work is probably already done since neither of these platforms supports Flash. In fact, Android hasn’t supported flash since version 4 of the Operating System. So even if a company serves its websites and apps to current Android users, they probably already use alternatives to Flash.
It is the Enterprise with exclusive or almost exclusively Windows clients in their environments that are likely to have the most work ahead of them since it’s the platform for which Flash is still actively developed. And since there are so many Windows installations out there – both corporate and personal, a client with a currently supported version of Flash on it is the de facto standard.
The problem with Flash being recognized by so many is that even on operating systems they do not support Flash, a common entry point for a malware attack is a browser pop-up that information the user that their device isn’t running the latest version of Flash. And since it’s something that feels familiar to the user, they allow it and end up installing some type of malware.
Something similar can happen to the Flash players in Windows and MacOS. Flash is supported in those environments, but it is common for it to be turned off by default in new installs. But just like on a mobile device, a flash update looking install can easily trick the user into installing malware that looks like something that is coming directly from Adobe.
But the threat doesn’t end there. Flash apps can make use of legitimate Flash players to install and run malware that can sometimes elude antivirus software. The main attraction of Flash player as a hacker target has been its ubiquity and its ability to gain control of computer resources.
Updating Flash Mandatory
What this means is that the security teams in every company will have to ensure that on the client side, where Flash players are installed, they are kept updated and security.patch. At least that will.work for now.
Eventually, though, they’ll have to take a larger approach to the issue, probably by making sure that any device that connects to the company network isn’t allowed to run Flash player. That policy introduces a new set of concerns
For employees, it will require some advance notice so they don’t find themselves unable to connect to the network when the time comes. It will also require assessing the websites that your organization needs in the daily course of business.
For most organizations, the list should be a fairly small number of commercial sites, a few news sites and maybe a social media site or two – even though these sites are moving away from flash as well, and their numbers should decrease with time. Ask your employees to make a list of the sites they visit every day, and if necessary, what business purposes the sites serve.
Note that this list is probably a small subset of the sites that your staffers actually visit since it’s not uncommon for employees to do everything from shopping on Amazon.com to visiting dating sites on company time. But it will produce a list of sites that they need in order to do their work, which is really what we’re after.
Security Need Not Be at Risk
While your personnel policies may allow your staff to do things like shopping, there’s no reason that this activity should risk your organization’s security. That translates into a clear path to eliminate Flash, even if it annoys a few people who spend their lunch hours involved in adult activities.
If you do find instances where a few employees need access to sites that require the use of Flash, maybe a supplier or partner who is late to convert, you can limit the use of Flash to specific business functions and to a small number of computers. While you’re at it, it’s a good time to call the supplier’s IT department to find out their plans for converting away from Flash.
It’s likely that the switch away from allowing Flash won’t be too onerous. Many computers have silently stopped running it over the last few years. If you limit mobile devices to those that either run iOS or Android 4.1 and later and also limit the Android devices to using apps obtained from the Google Play Store, then those devices won’t be a problem. With desktop computers, you can set a group policy that eliminates the Flash software and doesn’t allow employees to install it.
Once you’ve taken those steps, your security exposure related to Flash is severely diminished. You’ll also need to convert your own sites from flash to a current standard like HTML 5.
While all of this may look like a huge annoyance, it shouldn’t be. If you’ve been following good network hygiene and keeping your machines up to date, it’s possible that all of your work is already done.
But assuming there are still steps you need to take, or if you’re not sure, you will at least know what steps you need to take.