On January 12, just after 8:15 am local time, computers started to malfunction at the Dalian Train Operation Depot in northeast China. The dispatcher’s browsers weren’t loading train schedule details. Six hours later, dispatchers also lost the ability to print train data from the web app. According to the depot’s account on Weibo and WeChat, and a follow up post a couple of days later, the system flickered on and off for 20 hours before IT staff finally stabilized it. The culprit appears to have been a seismic, but not unforeseen, shift on the internet: the death of Adobe Flash Player.
As 2020 came to a close, Adobe fully ended support for its infamous yet nostalgia-laced multimedia platform. On January 12, Adobe took things a step further, triggering a kill switch it had been distributing in Flash updates for months that blocks content from running in the player—essentially rendering the software inoperable. The company had warned about the transition for years, while browsers like Chrome and Firefox gradually nudged users toward other standards. Apple spent a full decade attempting to wean web developers off of Flash. But organizations like the Dalian Depot didn’t get the memo. Frantic staffers ended up pirating old versions of the software, even modifying them to run on all different versions of Windows to stabilize the system.
“Many systems and applications still heavily use it, and updating those could be super expensive”
“Twenty-plus hours of fight. No one complained. No one gave up. In solving the Flash problem, we turned the glimpse of hope into the fuel for advancement,” officials wrote in a post mortem, as translated by journalist Tony Lin.
The Dalian Depot incident speaks to the reality that Flash is not really dead yet, and will persist untouched—and sometimes unbeknownst to anyone—in networks around the world. Mainland China is the only region of the world where Flash will still be officially available through a distributor that Adobe partnered with in 2018. But some users have complained about problems with the dedicated Chinese version of the program and have found workarounds to keep using the regular edition.
After decades of abuse by hackers, particularly those running “malvertising” ad schemes, Flash installations—whether forgotten or intentionally maintained—could expose networks for years to come. Versions of the software that haven’t been updated recently don’t have the kill switch inside, after all. And because Adobe isn’t supporting the software anymore, there won’t be security patches for any new Flash vulnerabilities that come to light.
“Flash Player may remain on your system unless you uninstall it,” Adobe says in an FAQ. “Adobe blocked Flash content from running in Flash Player beginning January 12, 2021, and the major browser vendors have disabled and will continue to disable Flash Player from running after the EOL Date.”
In October, Microsoft also released an optional update for Windows 8 and above that removes the operating system’s built-in version of Flash.
In spite of this multipronged strategy, though, some installations will persist. On top of the risk that organizations won’t update their software, Adobe’s last release of Flash included a special enterprise feature that lets network administrators essentially override the kill switch and place Flash functions on an “allow” list. “Any use of the domain-level allow list … is strongly discouraged, will not be supported by Adobe, and is entirely at the user’s own risk,” the company says.
Even organizations that uninstall desktop Flash will also need to worry about the browser versions if they aren’t updating those regularly. For systems that don’t or can’t receive updates easily, these two locations of Flash Player can mean double the exposure.
“Flash has been a massive security hole for decades, and a whole ecosystem of cybercriminals have been preying on those who use the software,” says Rob Cheng, CEO of the antivirus maker PC Matic. “Even now that the software has been killed by Adobe, the threat will not immediately go away.”
There’s some good news still. As Flash has approached its end of life and lost users, researchers say that attackers have tapered off their investment in finding and exploiting new vulnerabilities in the software. One of the most recent Flash bugs that has been widely abused by hackers is a memory flaw disclosed in January 2019 that could be exploited to take control of a target device.
“Recently, exploit kit authors started to slowly move away from Flash exploits,” says Jérôme Segura, director of threat intelligence at the antivirus firm Malwarebytes. “In part this was due to newer vulnerabilities for Internet Explorer, with more precise targeting in specific countries where Internet Explorer is still relevant enough for drive-by attacks.”
Segura notes, though, that the Flash Player plugin was specifically appealing for so long because of its proximity and relationship to serving online ads. With less ubiquity, Flash attacks will be less useful to hackers, but they will remain in offensive toolkits.
“Flash will be around for several years even though it’s ‘dead,’” says David Kennedy, CEO of the threat tracking firm Binary Defense Systems, who also runs a corporate penetration testing firm. “Many systems and applications still heavily use it, and updating those could be super expensive, or companies may have custom applications that were built to rely on Flash. So the exposure will still be there in systems that don’t receive updates or get overhauled often.”
Legacy software that’s no longer supported and receiving patches inevitably becomes a cybersecurity issue, whether it’s ancient industrial control software deep in always-on infrastructure or historic networking protocols in internet-of-things devices. Microsoft’s Windows XP has had such a long tail that the company famously was forced to release critical patches for the operating system multiple times—and years after formally ending support.
Thanks to the tech industry’s and Adobe’s efforts to really kill Flash dead, researchers say they don’t expect the catastrophes that resulted from Windows XP to repeat themselves with Flash. But they caution that since attackers are so familiar with Flash tactics, they won’t hesitate to exploit it whenever they can for years to come.