Skip to content
Naked Security Naked Security

Adobe Flash – it’s the end of the end of the end of the road at last

The journey to the end of Flash. Are we there yet?

There are some cybersecurity issues that just never seem to go away.
As a result, we have written about them, on and off, for years – at first with ever-increasing quizzicality, but ultimately, once we could raise our eyebrows no further, with a sort of saggingly steady fatalism.
Examples include: the fact that Windows still doesn’t show file extensions by default; the prevalence of elementary security blunders in IoT devices; and Apple’s obstinate refusal to say anything at all about security fixes – even whether widely-known bugs are being worked on – until after they’re out.
And Flash. Abobe Flash.
Adobe’s technology for fancy interactive graphics, mostly used to spice up your browser, has drifted towards its demise for so many years that it has almost single-handedly made a cliche out of Mark Twain’s famous remark that “the report of my death was an exaggeration.”


Back in the day, Flash was a popular tool for writing online games and publishing browser-based software that worked more like a native app than was possible with the HTML features of the time.
However, given that Flash ran right inside your browser and required a complex, powerful plugin to implement what were essentially fancy, turbo-charged, proprietary browser extensions…
…Flash brought with it a regular supply of exploitable bugs, over and above any bugs in your browser or your operating system.
Cybercriminals could abuse these bugs not only to plague you with fake or misleading content, but also to escape from the strictures of your browser, spy on other browser tabs, read files off your hard disk that they weren’t even supposed to know about, and implant malware on your computer.
Worse still, Flash bugs seemed to show up very frequently as zero-days, the jargon term for exploitable security holes that are found by attackers before a patch is available, thus leaving even the most disciplined and swift-acting system administrators with zero days during which they could have been ahead of the crooks.
In one memorable (or perhaps best-forgotten) article back in 2016, we bemoaned three successive months in which Adobe pushed out updates to close off zero-day bugs in Flash.
Cybercriminals didn’t just love Flash, they adored it.

Who needs it, anyway?

Of course, most of us, even back in 2016, already either didn’t need Flash at all, or needed it so sparingly that we could get away with uninstalling it completely after each use, downloading and reinstalling it as a one-off every time we were genuinely forced to rely on it.
If anything showed that Adobe’s heart hasn’t really been in Flash for many years, it was the story of how Apple banned Flash from the iPhone in 2010.
Steve Jobs, then CEO at Apple, unilaterally ejected Flash from the iOS ecosystem in that year, saying that apps that tried to include it would be denied access to the App Store.
Ironically, even though opinion went against Apple for what was seen as anti-competitive behaviour and Apple relented on its ban, Adobe didn’t show any enthusiasm for the reprieve.
In fact, Adobe itself announced in 2011 that it was giving up on Flash for mobile devices altogether.

Not dead yet

Probably more because of pressure from users than from any burning desire to keep Flash alive, Adobe soldiered on with Flash updates and security patches for desktop computers for a few years more.
But in July 2017, the company finally and formally admitted that it had had enough, and that the technology was entering a phase known by the rather doom-laden jargon term EOL, short for End Of Life:

Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to […] new open formats.

Three years may sound like a long EOL period, but it’s a surprisingly common duration, given how long it takes some companies to implement technology changes throughout the entire organisation. Some reports suggest that Windows XP still has a market share above 1%, even though it’s now more than 12 years after XP’s final release and six years after it exited even from extended support.

The end of the end of the end?

So, where do we stand on the Final Demise of Flash?
Will it really abdicate forever on the last day of 2020, given that it’s had so many encores already, despite being redundant in browsers since HTML5 came out in 2014?
Is someone finally going to take us on a one-way trip to a world without Flash, a trip from which there really is no turning back this time?
Yes! It seems that the programmers at Microsoft, bless their hearts, have set out to do exactly that!
Update KB4577586, entitled Update for the removal of Adobe Flash Player: October 27, 2020, “will remove Adobe Flash Player from your Windows device.
But there’s more.
After this update has been applied,” the KB article goes on to say, “this update cannot be uninstalled.” (Microsoft’s boldface emphasis.)
The only way to get Flash back is by rolling back to a earlier restore point, or reinstalling Windows from scratch.
Wow! It really is the end of the end for Flash, at least on Windows.

PS. Do you have any Flash-related memories you want to share/unburden/lament? Let us know in the comments below…

Guess what? It’s not truly the end, because this only removes the version of Flash that Windows itself controls. If you’re really desperate to carry on, like those cigarette smokers who huddle together miserably in the bike shed even on the blusteriest of winter days, you can always Bring Your Own Flash. But please don’t. Give Adobe the chance, at last, to give Flash the final sendoff it has been trying to achieve for years.)


64 Comments

I’m sad.
Most (ok All) of my favourite solitaire games are .swf files, and I’ve always loved how I can run them locally.
I use WindowsXP on this computer, and have worked very hard to keep Microsoft from sending any updates (each time I forgot, many features I relied on had to be rolled back, and programs needed re-installation).
I will have to update soon. Browsers and other network software hasn’t been available for this platform for some time.
It will be a sad day.

Though everone else on the internet might rejoice that you will soon be more secure in their midst :-)

how does one Windows XP machine with an internet connection affect my Windows 10 PC with an internet connection? Out of interest.

Any computer online that is actively infected with malware is a menace to the rest of the internet – crooks don’t just use malware against you but against everyone around you, e.g. by using it to blast out spam, commit ad fraud, set off denial of service attacks against others, steal other people’s data that happens to be on your hard disk, and more.
So, the more prone your computer is to getting infected in the first place, the worse it is for everyone else.
Think of it like deliberately driving a car that has failed its annual safety check – it’s illegal (and socially unacceptable) not because it makes you a hazard to yourself but because it puts everyone else at a risk they shouldn’t have to face.

> Most (ok All) of my favourite solitaire games…
Probably not All. You do play Freecell, don’t you? If not, it’s time to learn.

Curiously, though I can’t verify because I haven’t needed it in awhile, I think IrfanView still has a Flash plugin that will run .swf files… if you really, really need a Solitaire fix. :)

You can use the ruffle.rs browser extension to still get flash, but without the security exploits, because everything runs within the browser sandbox

Homestar Runner was the best use of Flash ever. I’m glad they got around it.

Ah, Flash certainly had its time and its place. But even Adobe seemed to lose faith in it (and the will to continue) many years ago… except they kind of got stuck with it on account of its astonishing success and the marketplace’s unwillingness to try new things. *Adobe* wanted to move on long ago… we should now let them do it with thanks and ease.

Withdrawing software always creates headache & discomfort for users, Yes Flash was a security nightmare, but software & hardware is a tool for a purpose. The celebrations and assertive visionary statements that accompany such changes always diminish the users personal experience and trauma. I will not be updating my computer for a while as I still use flash ( I already rolled back to a previous backup because of the change Apple made to Safari). It is not as impactful a decision as Steve Jobs ignorant decision to kill Hypercard. I had written a million lines of code for my lab using this. Nowadays I have a stock of dual bootable imacs (c 2006) that only run OS 9 and are not connected to the internet. I cannot use my laptop to do my data collection work, I have a plethora of extra external kit (disc drives & cd RW) to enable me to transfer data . I am not a fan of updates or visionary progress. It is a barrier to efficiency.

Maybe. But very few countries still pull their trains with steam-powered locomotives. They are huge, noisy, filthy, inefficient, inflexible, dangerous, wasteful of natural resources and and cause extreme pollution. Sometimes it’s the lack of updates that are the barrier to efficiency.
As for Hypercard… as its author mused, “If only it had worked across a network.” We’d probably be running stack servers to send out cards, not web servers to serve up pages.

oh dang….pretty much all of my Live sports-streams ends up getting delivered thru Adobe Flash, it seems…
big bummer when the hammer finally ‘falls’…. :-(

Are you *sure*? Any online service that supports only Flash has missed out on the entire mobile internet revolution. If they’re still using Flash but also support mobile devices then they already crossed the “life beynd Flash” bridge. I’d be atonished if any mainstream commercial video streaming service was still dependent on Flash, if only because half their market or more must be mobile by now.
The very last site I needed to use that actually *required* Flash ditched it completely some two or three years ago.

Windows 7 IE11 does not support html streaming.
Many corp environments are the above. Streaming in flash is still very much alive and well.
Though it’s only places where they absolutely can’t install chrome that it’s a deal breaker issue.

IE. I remember that, it used to be, errr, golly, it wasn’t an IRC client, it was…
…give me a moment. Ah! I know! It used to be a browser, didn’t it? I always assumed it had died out along with Netscape.

The USA govt’s Photo Validator is still a Flash application as of today.

Better hope they fix it PDQ :-)
As sad as it seems that the Department of State is so far off the pace, are you sure that you *need* Flash, or is that just if you want to use the online photo editor? If you have prepared the image in advance, isn’t it just a vanilla file upload that you end up doing?

The diversity lottery for 2022 closes on Nov 10th and I guess they will develop a new one for next year, as well as for passport photos. I don’t think it is absolutely necessary, I have seen other online cropping tools.

There is this semi-popular online virtual pet game called Webkinz that still continues to use Flash. Their method of getting around web browsers removing Flash support is to develop a standalone desktop “app” which appears to be something cooked up quickly using the Chromium source code, presumably an older out-of-date version that still supports the Flash plugin. Because of that, this “app” still requires you to download and install Flash in order to access the Webkinz site.
Just in the last week however, they unveiled a brand new Webkinz that uses modern 3D Web technologies and doesn’t require Flash at all, and renaming the old Flash-based site Webkinz Classic. Of course, many long time users of the site are complaining about the new one and intend on playing the older Flash-based version instead.
The information for the Windows Update meant to remove Flash doesn’t indicate whether or not you still be able to install the standalone version of Flash that the Webkinz Classic app needs. But really, Webkinz Classic has been buggy for years and Ganz (the Canadian toy company behind it) should start phasing it out and move everyone to the new version for security’s sake.

Ellen Pronk and Han Hoogerbrugge were both terrific and prolific Flash artists in the early 2000’s, publishing new experiments almost daily. As much as I loved their work, most Flash seemed to be relentlessly annoying website splash pages. Good riddance to them!

All technology has its time and place. Flash now joins punched cards and 300 baud accoustic couplers …. great in their day but when it’s time, it’s time.

Flash is dead? Long live Ruffle!
Ruffle is an Adobe Flash Player emulator written in the Rust programming language. It targets both the desktop and the web using WebAssembly. AS2 games are starting to play pretty well!

“Who needs it, anyway?”
I hace done well without it for at least seven or eight years now and have harassed sites that insisted on using Flash since that time.
I have never missed it.

Well, the massive undertaking that is Flash gaming archival isn’t complete even today. More games are getting backed up, more work is done to emulate Flash, and very few have been updated to a new format. I’ve never stopped needing Flash and it’s not going to be complete in time I don’t think. It means there will be lapses in games access.

If retro games are your thing, why not switch allegiance to true retro games for one of the trailblazing early consoles or arcade units? MES, PS1, old arcade games etc.?

Smh Paul, I thought you’d know by now that nobody except TRUE gamers (like me) play anything past Atari Pong or the Magnavox Odyssey. Hell, you’re all using the internet wrong. As of right now, I am browsing this great site using my Kenbak-1 from 1972 that I have personally modified to browse the internet and relay me text through morse code unlike you simpletons using a disgusting monitor.

i mean, its not really about the allegiance, its more about that alot of people now grew up with flash games. like, this was my childhood. fancy pants adventures, papa louie, webkinz (old school), etc. i know its time, but let us be sad. if (or when) the favorite games from your childhood became obsolete, youd be upset as well.

Why does AOL gold still require the Flash player to even use their browser? Are there any plans to replace it?

No idea. The docs I have seen suggest that AOL Desktop Gold was released in 2017, by which time the EOL for Flash was already known. You will need to ask AOL.
(Isn’t it based on the Chromium browser?)

Paul,
Some users will need to work hard to keep Flash from unintended un-installation.
Flash UI is the only UI available to manage Dell/EMC vRPA.
“Minimum Flash version for Unisphere for RecoverPoint GUI is 10 and later.”
-Vladimir

The same is true for older Juniper products. I’m using a srx100 firewall @home and for all the graphic Flash is needed.

What about those users who only use Flash based apps on internal networks. The most common that comes to mind is VMware’s vSphere Client. Although they have ported much of it to HTML5 there are still functions that can only be done on the Flash based management console. Those Flash applications are definitely NOT public web sites and are NOT subject to zero-day vulnerabilities and work GREAT. Adobe, Google and Microsoft might consider that user base where their Flash browser clients don’t access the Internet.

Newer versions of VMware vSphere (v6,7 Update 1 and newer) no longer require Flash for *any* client function. This has been the case in vSphere for over 2 years now (when v6.7u1 was released). Time to update! :)
https://blogs.vmware.com/vsphere/2018/10/fully-featured-vsphere-client-in-vsphere-6-7-update-1.html

I think you need to consider updating your management tools. Yes the original vSphere Client migration to HTML5 was a nightmare but its been fully functional for a while now. You really shouldn’t be managing enterprise infrastructure with a system that has Flash installed. They are subject to 0-days, someone just needs a foot hold into your network which is not very difficult to achieve. Or that system with Flash installed just needs to be accidentally connected to the Internet. Thinking that just because a system is behind your firewall that you don’t need to worry about Flash or other outdated technology is a mistake.

Oh I have been using Flash Player for over 10 years and it had made me so happy. I had used it for 2 og my favorite games in Facebook. Farmville 1 and Zoo World 1. But now they are dissapearing because the Flash Player is shutting down. i am so sad and Will miss my games so much. They mean a lot to med, because I had relaxed playing the games after a stressed Day at Work. I still hope for a solution to continue playing my games. 😢😢

I find it crazy that this has been coming for years and years and we don’t have a replacement even half as capable. Even Adobe’s own Animate software is week.

I learned Flash Animation about 20 years ago and have used it ever since.
I mostly just make animations with it and never really use the Action Script. I save the videos to avi or mp 2 or mp 4. But i do use it allot as i am the creator of 2 on going cartoons. I’ve even had an animation in a movie using it. And did freelance animation for a number of years. When i recently came out as Adobe Animate. I adjusted to it as usual. So.. Are you taking me.. My program is about to go away?

Nope. Adobe animate isn’t going anywhere. They are just removing action script and swf exporting

Ford Sync2 runs on flash.
Take a .SWF, rename it .JPG, and load it as a background. The head unit will execute it.
:-D

Adobe Animate still exists and .swf files are still really handy for sharing those animations. It’ll be a little frustrating if they no longer work. So many dodgy exploits habe ruined it for genuine users.

I remember adobe flash from 2003-2007 I no longer use it however I have later started getting use to HTML 5 content I like HTML 5 games and sites better than adobe flash it was a security nightmare to keep up with but I will be glad it is EOL in December 2020 and I am happy for that

Lots of educational simulations and activities are FLASH esp science. It is a tool many teachers use and now without we don’t be able to have kids do these simulations. The companies will not make html5 or will charge fees now. We can’t afford it.

By the same token, lots of simulations don’t use Flash. Quite a lot of schools make use of tablets in classrooms – they haven’t had access to Flash for close to a decade… maybe someone from a “tablet school” could comment on what they use in science classes?

Aww, man! Let’s bring back Adobe Shockwave instead!
(For those who need to see this… yes I am totally kidding.)

The only thing good about Flash is the innovation in security that it forced everyone to develop due to its terrible, insecure code base. They should have open sourced it fifteen years ago, had it fixed once and for all, and it would probably be still in use today. This surely has to be a lesson in why proprietary software is bad for commercial use. I have no idea the number of CVE’s that are assigned to Flash but I seriously doubt that any other application comes anywhere close – good riddance to the buffer overflowing malware conduit! Someone should write a book on how not to write web based applications and just use Flash as an example.

I’m not going to miss Flash and the endless updates except the Cthulhu card game.
I think the only two things that generated similar numbers of CVEs were PDF files (thanks Adobe) and Java which was also a good idea at the time that has failed.
As an aside, back in 1996 it was obvious to me that Windows 95 hid file extensions in an attempt to look more like Mac OS and Microsoft has stubbornly refused to back away from this because of they would lose face. I find this especially annoying because many things will use the same icon and description for different file extensions like, ost and .pst

Unfortunately I have many business related PDF Portfolios made with Acrobat Pro. They do not work without Flash Player installed. Now what?

Update to something that isnt dangerously obsolete?

Gee whiz MrF… DUH! I already use a different professional PDF program. Let me clarify.. without Flash, what do I do with the dozens of PDF portfolios (created with Adobe) that contain critical email w/ attachments (that had to be submitted to lawyers) without extracting the many thousands of items and recombining them with some other utility. It’s so easy to just say “turn off Flash” without offering assistance for the many users like myself. Adobe certainly isn’t offering anything.

PDF is a widely-supported file format for which many different, still-supported viewers exist, including from Adobe. Today’s browsers can open PDFs directly, in fact, no need for Flash.

Thanks Paul, I understand this, but portfolios made with Acrobat Pro XI & earlier create and combine many items (email + attachments from many people in my case) into a single, indexed, searchable PDF. In order to view it, the Flash Player plug-in is *required*. Portfolios were the preferred method by lawyers for court case discovery which is the reason these were created. So my question pertains to keeping these as a legal archive, but without Flash they are useless. Adobe, to my knowledge, has not provided an alternative for those that have created portfolios over the years thus rendering all of them useless. My only recourse is to spend many hours & days exporting and reassembling them somehow. Very bad customer consideration!

All I can suggest is that you apply via Adobe’s website for an “Adobe Flash Player licence” before the end of the year, and see what happens – that’s supposed to give you the right to keep and redistribute it indefintely in your own environment/network/workgroup. I don’t really know what else to say.
If Adobe won’t play ball, perhaps the Bar Council (is there such a thing?) or the Law Society could wade in and make some noise? Perhaps Her Majesty’s Courts and Tribunals Service could lean on Adobe for the ongoing right to have it and make it available for download, if indeed there are many historical courrt documents that need it? At any rate, it sounds as though you’ll need your own copy of a Flash Player that you can keep up your sleeve, maybe in a Virtual Machine set up just for yout historical documents? The various Flash Player downloads are still available on Adobe’s site for now… I just downloaded the Linux one. (I think I will keep that up my own sleeve just in case!)
If there is loads of official documentation needing Flash that has already been used in a court hearing or tribunal, I would be interested to know what the folks at the National Archives have in mind to keep those documents alive and kicking. They may already have faced down the issue of how to convert them into an open standard format.
(I *still* don’t have Word on my computer, and I haven’t used PowerPoint since about 2004. Nothing against Microsoft, just trying to future-proof the things I might want to read again in 10 years’ time.)

Oh woe the schools. I’ve already dealt with a helpdesk request today requesting that we “unblock Flash” to allow them to reach “important educational resources”. I am steeling myself for the wailing and gnashing of teeth from teachers who are losing their favourite resources; normally on a website circa 1999 complete with animated gifs and broken links to Geocities pages and Yahoo Groups.
It doesn’t matter that those websites haven’t been updated for 15yr or that I’ve been talking to them about the loss of Flash for 3yr, it’s my fault and I’m stopping their precious littel ‘uns from reaching THAT maths game becasue I’m evil. It’s far too much to ask to find one that isn’t Flash.
Admittedly I probably am a little evil but then if you’ve been working in security for as long as I have you need that to get through the day.

So many flash cartoons that were entertainment from 1997 to 2005 including some of the late ones like badger, badger, badger & “look at my horse.”

As ex Flash developer I must say that I’m sad.
Ive spent years creating flash games, banners, websites, educational programs for kids. I’ve invested so much of time into learning AS 1, 2, 3, online courses, books, bought paper stuff. I am versed in html, vector illustrations, photoshop, photography and other multimedia stuff, so I could offer and create almost everything needed online. Creating funny interactive stuff was my hobby and joy.
Yes Flash had bugs, and security holes, but those could be fixed.
Never again will we have such tool which could be used by programmers or designers or illustrators and publish it, and it would work on PC, MaC and Linux.
HTML5 still needs a lot of development to reach even 1/3 of Flash features.
– People complained about Flash CPU usage. Look at current websites, their CSS and HTML5 animations uses even more CPU
– People complained about Flash size. Look at current websites, their full page images and backgrounds and videos and scripts consumes much more bandwidth.
– People complained about flash vulnerabilities. Look at current major CMS platforms, holes and security issues everywhere.
IMHO Flash was too powerful and Jobs didn’t liked it. He and his army of blog zealots were also powerful and they started anti Flash propaganda which eventually did the job. Adobe arrogance and inertia didn’t help either.
And there was Microsoft with its Silverlight who was plotting against Flash as well.
All three combined was too much.
There are many developers like me which lost a good chunk of their income after anti Flash propaganda started.
Like them, I also moved on into another fields but I will never work so eagerly and fluently with something else like I used to do with Flash.
RIP!

you know, ill miss it. im currently 20, meaning that unlike most of these people, i grew up with flash. this stuff was my childhood, and still is used by lots of children worldwide. ever heard of cool math games? yeah, it was a security nightmare, and i (along with most others) will reluctantly let it go, but for others in the comments trying to tell us to rejoice, let us be sad! of course alot of us will be upset, thats to be expected when the thing you grew up with, the thing that you grew up with, is just removed with not enough time to get an alternative or backup.

Well, it was close to 10 years ago that Adobe announced it was killing off Flash on mobile devices, and it was 3.5 years ago that it announced the EOL for Flash on other devices. Given the pace of change in IT technology, there are plenty of people who will say there was plenty of time.
I wouldn’t worry too much… retro gaming is a big deal (MAME, QED.) so your games will make a comeback eventually, just like vinyl and cassettes have been doing in recent years.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?