Home > How to Access Adobe Flash Content > Flash Mitigation Options
Introduction
As Adobe announced, Flash player support will be dismissed end of 2020/beginning of 2021.
If enterprises are running applications based on Adobe Flash, it is strongly recommended to migrate them and disable Adobe Flash Player on all clients, as also security fixes will be discontinued.
For some cases though, there might be no migration options due to several reasons – and in order to continue operations, it will then be necessary to keep Flash Player active for a number of clients.
This blog post shall give an overview about findings and the impacts of the Flash Player End Of Life, in case you require to continue running Flash-based applications in 2021.
SAP has published e.g. Note 2993618 regarding this topic covering official information.
The company HARMAN is taking over the official role of a distributor for enterprise customers and will deliver maintenance for Adobe Flash.
In case you are insecure, you should rather get in contact with HARMAN.
If you try to keep Flash running on your own, always keep in mind the security risk of running outdated or unpatched software – and secure it in other ways.
Announced facts about end of flash support
Adobe will stop supporting Flash after December 31st, 2020
Browser Vendors have announced to remove support for flash plugins and APIs starting early 2021.
Chrome/Chromium: version 88+ will remove flash support January 2021
Firefox: version 85 will remove flash support in January 2021
Firefox Extended Support Release 78 (supported until June/October 2021) can further be used to run Flash
Microsoft has announced to remove Flash with an optional Windows Update from installations and also shut down distribution sources
Adobe Flash installations have a system-time-controlled “kill switch” that blocks functioning as of January 12th 2021
This can already be observed by setting a client’s time ahead to a later date
Adobe announced to shut down distribution sources beginning of 2021 which might stop online installers and referencing package distributions (e.g. on Linux) from working
Possible Mitigations
Install Flash on your machines within year 2020
In case you have problems installing flash on your machine, you can acquire full installers for your machine from help page, section “Still having problems”, at least until end of 2020.
Update January 22, 2021: Adobe download pages seem inaccessible meanwhile, though I was still able to find trustworthy mirrors for the Flash Player installer
Apply mms.cfg to disable the “kill switch” in client flash installations, according to Adobe Flash Admin Guide
You have to use the configuration to restrict flash usage to whitelisted systems only – this also helps you to reduce security risks of flash usage
A Microsoft blog previews that a cumulative update or monthly rollup will remove policies regarding Flash Player as of summer 2021 for Internet Explorer and Microsoft Edge
By blocking or not installing the optional KB for removal, it might be possible to continue running flash in Internet Explorer or Edge legacy mode until summer, blocking the announced cumulative update/rollup even further
Install a browser version that still supports flash and disable automatic browser updates
Update January 22, 2021: Firefox ESR 78.6.1 still plays Flash content and is downloadable at Mozilla
The open source community heavily increased push frequency on flash support, e.g. in Lightspark or Ruffle and might be a solution for a rising number of use cases while not having 100% coverage yet
An example of a working mms.cfg file can e.g. contain the following (replace the AllowListUrlPattern parameters with hosts and ports matching for your scenario):
EOLUninstallDisable=1
SilentAutoUpdateEnable=0
EnableAllowList=1
AutoUpdateDisable=1
ErrorReportingEnable=1
AllowListUrlPattern=https://my-flash-host:8443
AllowListUrlPattern=https://my-flash-host2:8283
Location of the file can be derived from Adobe Flash Admin Guide. Examples:
MacOS: /Library/Application Support/Macromedia
Windows x86: C:\Windows\System32\Macromed\Flash
Windows x64: C:\Windows\SysWow64\Macromed\Flash
Update January 22, 2021: The AllowListUrlPattern entries are obligatory for further use. Make sure all your systems are entered here.
I personally tested MacOS and Windows Server 2016 on my machines using the config above with Firefox ESR (version 78.5.0esr) – I cannot guarantee it working in your environment, but I will keep testing and add further information to this blog post.
Internet Explorer still works for me as well – while Chrome and Chromium Edge updated in my environment and are not capable of running flash anymore.
Due to availability and support timeframes, I’d go for both Firefox ESR and Internet Explorer.
Summary
If you need to continue using Browser-Flash applications in 2021, you have a few options to do so.
According to the announced information, for working environments there should not be an impact before January 12th.
HARMAN can help you with a supported enterprise distribution of Flash Player as “Packaged Browser” solution
If you have got Flash already installed on your machines, it might be sufficient to block updates for one specific browser such as Chrome, Chromium-based browsers (like e.g. the new Microsoft Edge) or Firefox (ESR) and apply an mms.cfg as in the example above
If you are using Microsoft Internet Explorer or Edge Legacy mode, make sure to not install or block the Windows updates containing the removal of Flash as well as Flash integration components on the clients where you need to continue running flash. In any case you will have to add an mms.cfg as above
If you have got a working environment, it might be beneficial to save a backup/snapshot of it – in case you need to restore due to a failure or by error installed an update removing functionality.
Neither SAP nor I can give any warranty or official support for Adobe Flash and if you repeat any steps described here, it is on your own risk.
I will update this blog post with findings that arise in the future, as the current situation is only a preview on the options available.
Changelog:
January 22, 2021: Added a few more findings and statuses across the guide, fixed Whitelist-related statements