On January 12 just after 8:15 a.m. local time, computers began to malfunction at the Dalian Train Operation Depot in northeast China. The coordinator’s browsers did not load details of the train’s timetable. Six hours later, dispatchers also lost the ability to print train data from the web app. According to the depot’s account on Weibo and WeChat, and a follow-up post a few days later, the system flickered on and off for 20 hours before IT staff finally stabilized it. The culprit appears to have been a seismic, but not unforeseen, shift on the Internet: the death of Adobe Flash Player.
As 2020 drew to a close, Adobe ended support for its infamous yet nostalgic multimedia platform. On January 12, Adobe went one step further and activated a kill switch that it had been spreading in Flash updates for months, preventing the content from running in the player, essentially rendering the software useless. The company has been warning of the transition for years, while browsers like Chrome and Firefox gradually pushed users to other standards. Apple spent a full decade trying to rid web developers of Flash. But organizations like the Dalian Depot didn’t get the memo. Devastating staffers ended up copying old versions of the software and even tweaking them to run on all different versions of Windows to stabilize the system.
‘More than twenty hours of struggle. Nobody complained. Nobody gave up. In solving the Flash problem, we turned the glimpse of hope into the fuel for progress, ”officials wrote in a post mortem, as translated by journalist Tony Lin.
The Dalian Depot incident speaks to the reality that Flash is not really dead yet, and will remain untouched – and sometimes without anyone knowing – in networks around the world. Mainland China is the only region in the world where Flash will still be officially available through a distributor with which Adobe partnered in 2018. But some users have complained about problems with the special Chinese version of the program and found solutions to keep using the regular version. edition.
After decades of hacker abuse, particularly hackers who run malvertising ad schemes, Flash installations – whether forgotten or deliberately maintained – can expose networks for years to come. After all, versions of the software that haven’t been updated recently don’t have a kill switch. And because Adobe no longer supports the software, there will be no security patches for new Flash vulnerabilities that come to light.
“Flash Player can remain on your system unless you uninstall it,” Adobe says in a frequently asked question. “Adobe has blocked Flash content in Flash Player as of January 12, 2021, and major browser vendors have disabled Flash Player and will continue to disable it. No longer beyond the EOL date.”
In October, Microsoft also released an optional update for Windows 8 and above that removes the built-in version of Flash in the operating system.
However, despite this multiple strategy, some installations will continue to exist. In addition to the risk of organizations not updating their software, Adobe’s latest release of Flash included a special business feature that essentially allows network administrators to override the kill switch and put Flash features on an “allowed” list. “Any use of the allowed list at the domain level … is strongly discouraged, is not supported by Adobe, and is entirely at the user’s own risk,” the company said.
Even organizations removing desktop Flash will also have to worry about browser versions if they don’t update them regularly. For systems that cannot or cannot easily receive updates, these two locations of Flash Player can be a double exposure.