Site icon Sophos News

Adobe Flash – it’s the end of the end of the end of the road at last

There are some cybersecurity issues that just never seem to go away.
As a result, we have written about them, on and off, for years – at first with ever-increasing quizzicality, but ultimately, once we could raise our eyebrows no further, with a sort of saggingly steady fatalism.
Examples include: the fact that Windows still doesn’t show file extensions by default; the prevalence of elementary security blunders in IoT devices; and Apple’s obstinate refusal to say anything at all about security fixes – even whether widely-known bugs are being worked on – until after they’re out.
And Flash. Abobe Flash.
Adobe’s technology for fancy interactive graphics, mostly used to spice up your browser, has drifted towards its demise for so many years that it has almost single-handedly made a cliche out of Mark Twain’s famous remark that “the report of my death was an exaggeration.”


Back in the day, Flash was a popular tool for writing online games and publishing browser-based software that worked more like a native app than was possible with the HTML features of the time.
However, given that Flash ran right inside your browser and required a complex, powerful plugin to implement what were essentially fancy, turbo-charged, proprietary browser extensions…
…Flash brought with it a regular supply of exploitable bugs, over and above any bugs in your browser or your operating system.
Cybercriminals could abuse these bugs not only to plague you with fake or misleading content, but also to escape from the strictures of your browser, spy on other browser tabs, read files off your hard disk that they weren’t even supposed to know about, and implant malware on your computer.
Worse still, Flash bugs seemed to show up very frequently as zero-days, the jargon term for exploitable security holes that are found by attackers before a patch is available, thus leaving even the most disciplined and swift-acting system administrators with zero days during which they could have been ahead of the crooks.
In one memorable (or perhaps best-forgotten) article back in 2016, we bemoaned three successive months in which Adobe pushed out updates to close off zero-day bugs in Flash.
Cybercriminals didn’t just love Flash, they adored it.

Who needs it, anyway?

Of course, most of us, even back in 2016, already either didn’t need Flash at all, or needed it so sparingly that we could get away with uninstalling it completely after each use, downloading and reinstalling it as a one-off every time we were genuinely forced to rely on it.
If anything showed that Adobe’s heart hasn’t really been in Flash for many years, it was the story of how Apple banned Flash from the iPhone in 2010.
Steve Jobs, then CEO at Apple, unilaterally ejected Flash from the iOS ecosystem in that year, saying that apps that tried to include it would be denied access to the App Store.
Ironically, even though opinion went against Apple for what was seen as anti-competitive behaviour and Apple relented on its ban, Adobe didn’t show any enthusiasm for the reprieve.
In fact, Adobe itself announced in 2011 that it was giving up on Flash for mobile devices altogether.

Not dead yet

Probably more because of pressure from users than from any burning desire to keep Flash alive, Adobe soldiered on with Flash updates and security patches for desktop computers for a few years more.
But in July 2017, the company finally and formally admitted that it had had enough, and that the technology was entering a phase known by the rather doom-laden jargon term EOL, short for End Of Life:

Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to […] new open formats.

Three years may sound like a long EOL period, but it’s a surprisingly common duration, given how long it takes some companies to implement technology changes throughout the entire organisation. Some reports suggest that Windows XP still has a market share above 1%, even though it’s now more than 12 years after XP’s final release and six years after it exited even from extended support.

The end of the end of the end?

So, where do we stand on the Final Demise of Flash?
Will it really abdicate forever on the last day of 2020, given that it’s had so many encores already, despite being redundant in browsers since HTML5 came out in 2014?
Is someone finally going to take us on a one-way trip to a world without Flash, a trip from which there really is no turning back this time?
Yes! It seems that the programmers at Microsoft, bless their hearts, have set out to do exactly that!
Update KB4577586, entitled Update for the removal of Adobe Flash Player: October 27, 2020, “will remove Adobe Flash Player from your Windows device.
But there’s more.
After this update has been applied,” the KB article goes on to say, “this update cannot be uninstalled.” (Microsoft’s boldface emphasis.)
The only way to get Flash back is by rolling back to a earlier restore point, or reinstalling Windows from scratch.
Wow! It really is the end of the end for Flash, at least on Windows.

PS. Do you have any Flash-related memories you want to share/unburden/lament? Let us know in the comments below…

Guess what? It’s not truly the end, because this only removes the version of Flash that Windows itself controls. If you’re really desperate to carry on, like those cigarette smokers who huddle together miserably in the bike shed even on the blusteriest of winter days, you can always Bring Your Own Flash. But please don’t. Give Adobe the chance, at last, to give Flash the final sendoff it has been trying to achieve for years.)


Exit mobile version