Flash EOL , WHAT ABOUT THOSE manufactured appliances that use flash!???

Report · Jan 22, 2021

I have a sonicwall appliance that uses flash, you cannot use the appliance now because flash will not RUN!!! so a $10,000 appliance is JUNK! because adobe killed flash.. all i get is this big

that will not allow me to run my expensive product , so now what?

Report · Jan 22, 2021

You should ask someone at SonicWall if they have an update for whatever applicance you are using. I'm sure they are well aware that their equipment would stop working if they don't intend to update it. Maybe ask the user community here:

https://community.sonicwall.com/technology-and-support

Report · Jan 22, 2021

It's a bit ridiculous that I can't use it because Adobe coded flash to stop working altogether. I get you dont want to support it, I get you not going to make any new versions, but to force my production product to stop working is unacceptable

Report · Jan 22, 2021

Surely, this came as no surprise to anyone. The planned Flash Player EOL was widely publicized 3-1/2 years ahead giving programmers more than ample time to prepare for it.

Pre-Announcement from 2017

https://blog.adobe.com/en/publish/2017/07/25/adobe-flash-update.html#gs.quzsa5

Flash EOL for Enterprises

https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html

Flash EOL FAQ

https://www.adobe.com/products/flashplayer/end-of-life.html

Nancy O'Shea— Product User, Community Expert & Moderator

Report · Jan 22, 2021

I knew EOL was coming but not that your device would fail to function.

Report · Jan 22, 2021

1. I don't work for Adobe. I'm a product user like you.

2. SonicWall knew about the EOL. So it's incumbent upon them to fix the problem. Adobe cannot fix this for them, nor should they.

Nancy O'Shea— Product User, Community Expert & Moderator

Report · Jan 22, 2021

and yes i have already reached out to sonicwall

Report · Jan 25, 2021

A couple things:

In general, if your defenses aren't getting regular updated, they're probably not affording you meaningful protection at this point. Castle walls were great until we invented cannons.

In much the same way, motivated attackers are smart, adaptable and well resourced. The threat landscape is constantly changing. They've moved on while your appliance (given that it hasn't been updated to remove Flash dependencies since the Flash EOL announcement in 2017) has most likely stayed static.

It's worth asking yourself if that appliance is providing meaningful protection at this point, or if it's simply giving you a false sense of security (and/or precluding more meaningful work with regard to addressing the current threat landscape).
You *can* restore access to the administrative UI via Flash Player's Enterprise Enablement features. This would have been easier before Jan 12 (when Preview mode was an option), but it's still doable. That said, you'll also need to freeze on a browser that continues to support plug-ins. Flash EOL didn't happen in a vacuum, and we coordinated with all the major browser vendors to end support for both Flash Player and browser plug-ins.

So, you'll need to freeze and secure an administrative environment for the purpose of keeping this old firewall alive.

You can learn more about the Enterprise Enablement features and the options available for your organization (including licensing a maintained version of Flash Player from our support partner HARMAN, here):

https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html

You can read more about the Enteprise Enablement features in the admin guide, here:
https://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

Hope that helps!

Report · Jan 25, 2021

I am not sure what you mean about freeze, I have tried attempted the override, and its not working, i still get the big Fi icon, clearly I am not doing something right, but the instructions are not writing in leymans terms, and not easy to follow or even understand.

below is what i have at my MMS.CFG uner the windows\syswow64 file path.

if i copy this mms.cfg to the users/appdata/local/google/chrome/userdata/pepperflash

and when i use chrome (as suggested by sonicwall) i get the message that adobe flash player was blocked because its out of date ( udpate plugin) or (Run this time) <<< which is what i should get yes?

anyhow when i click RUN THIS TIME ,

the screen is blank.. nothing, nada..

MMS.CFG

---------------------------------------

SilentAutoUpdateEnable=0
AutoUpdateDisable=1
# duplicate actionscript console output
# in browser's console for javascript
TraceOutputEcho=1
# Enable the AllowList feature
EnableAllowList=1
# Normally, the allow list blocks URL requests
# unless the url matches a pattern in the list.
# In preview mode, all requests go unblocked,
# but console output is written for each request
# indicating which pattern it matched or that
# no match was found..
AllowListPreview=1
TraceOutputEcho = 1
AllowListUrlPattern=https://172.16.129.12:443/

Report · Jan 27, 2021

You have mms.cfg in the wrong spot for Chrome (correct details are in the admin guide under the mms.cfg section). Also, Chrome 88 has already shipped, which dropped support for all browser plug-ins, including Flash.

Doing this in Chrome is painful, especially if you use multiple Chrome profiles. Each one has it's own Flash data folder and needs it's own mms.cfg.

I'd recommend using Firefox ESR (extended support release) which will buy you a few more months. The latest generally available Firefox update has also dropped support for browser plug-ins.

https://www.mozilla.org/en-US/firefox/enterprise/

At that point, you can put mms.cfg in the right spot (C:\Windows\System32\Macromed\Flash\mms.cfg and/or C:\Windows\SysWOW64\Macromed\Flash\mms.cfg)

If you're not seeing logs in the console at that point, you've got mms.cfg in the wrong spot. I noticed the other day that regardless of being 32 or 64-bit, Firefox seems to always look in SysWOW64 (the 32-bit location), which is some weird quirk of their 64-bit sandbox. I'd start with putting mms.cfg there, just so you're working with one config file and not risking getting confused by having two different files that might not be synced.

Good luck!

Report · Jan 27, 2021

Also, by "freeze", I mean build a machine that has an old Flash and an old browser, and never gets updated. There are plenty of ways to accomplish this (dedicated/air-gapped computer that only talks to the appliance, VMWare/VirtualBox, etc), but whatever route you choose, you should never use it to actually browse the web (and ideally, actively ensure that it can't).

Also, 443 is the standard port for HTTPS, so you don't need to specify it. I'm not sure it would hurt, but this is simpler and less likely to trip you up.

AllowListUrlPattern=https://172.16.129.12/

The important part here is that you'll want to fire the application up with the developer tools in the browser open to the javascript console. You should see log entries in the console when things get blocked. You can then copy and paste the URLs into new AllowListUrlPattern rules, save your changes to mms.cfg and refresh the page. Once you stop seeing messages about things getting blocked and your application looks like it works right, you're done.

This was easier to do before Jan 12th, because you could put it in preview mode and just log everything that "might" get blocked, but that's not really an option at this point. You could try changing the system clock, but HTTPS cares about the date, so that may or may not cause other weird failures. I'd just leave everything as-is and keep iterating until I have a complete set of rules.

Flash EOL , WHAT ABOUT THOSE manufactured appliances that use flash!???

2 Correct answers