Copy link to clipboard
Copied
Adobe, please give us a solution, we need our application today or our business cannot continue.
We know about the danger of using Flashplayer but it's our own application, we use separate computers just for this.
At least give us an old version that doesn't block our own content.
If you can use mms.cfg with Enteprise Enablement, that's way better.
The worry that we're really trying to address is the scenario when (because it's when, not if) the malware/ransomware guys find an 0-day in Flash a year or two down the road, and they start pumping out malicious banner ads to cause widespread damage on users that never update.
By limiting that unmaintained Flash Player to loading just stuff that you trust, you're making it much harder for an attacker to deploy malicious c
...Copy link to clipboard
Copied
What has your business been doing for the last 3 years after the death of Flash was announced? This is very sad.
Copy link to clipboard
Copied
Have a look in the Adobe Admin Guide:
https://www.adobe.com/content/dam/acom/en/devnet/flashplayer/articles/flash_player_admin_guide/pdf/l...
You can place a config file on your system where you can enable your company internals Flash application sites.
E.g. under Linux:
/etc/adobe/mms.cfg:
EOLUninstallDisable=1
EnableAllowList=1
# AllowListPreview=1
# TraceOutputEcho=1
AllowListUrlPattern=https://my-internal-flash-site.com
I hope that helps.
Copy link to clipboard
Copied
@Test Screen Name We provide solar energy components.
@berndh72391550 Thanks, I have tried that but it didn't work.
Created mms.cfg with the content you provided under /etc/adobe, rebooted, didn't work.
Also tried mms.cfg for Google Chrome in its own Flash Player folder.
😞
Copy link to clipboard
Copied
Have you looked at Apache Royale?
Copy link to clipboard
Copied
That's even worse. You have a business built on technology and you have done nothing as a company during the 3 years you had to make, buy or upgrade to software that does not require Flash Player. You may indeed go out of business, and that is a pity.
Copy link to clipboard
Copied
We did try to build it with HTML5 twice, losing a lot of money, our Flash application is big and robust.
Now we have a new team of 10 members helping us creating the new one, but it'll take another year to complete.
Despite all effords, our Flash application was so much better and faster even though JavaScript is faster than AS3.
Copy link to clipboard
Copied
You cannot compare JS frameworks to Flex framework, the difference significant if you have been working on bigger projects.
Copy link to clipboard
Copied
In addition to the Admin guide linked below, I recommend reviewing this industry guide for "Enterprise enablement" preferences and other considerations you should review:
https://www.servethehome.com/adobe-flash-player-sunset-looming-over-enterprise-it/
Copy link to clipboard
Copied
Thanks for the answers but somehow it doesn't read the config file /etc/adobe/mms.cfg.
I see no logs or changes.
System:
Ubuntu 20.04
Latest Flashplayer for Linux 64bit
Firefox 83
Copy link to clipboard
Copied
I tried to reproduce this on Friday, but wasn't having a lot of luck installing Flash Player via the standard package manager. It looks like I'll have to do it manually from our generic package, and I ran out of time to mess with it.
My suspicion is that you need to set permissions on mms.cfg or the parent folder such that they're readable by the Flash Player process.
Also, Firefox 84 drops support for Flash Player. If you want to continue to get security updates for your browser, you'll want to move to the latest Firefox ESR (Extended Support Release), which will buy you a few more months of Flash support in a browser version that still gets security updates. At that point, you really want to be migrated off, or you're going to be stuck running unpatched browsers in order to keep browser plug-in support.
Copy link to clipboard
Copied
Were you guys able to work around this? I'm hoping the permission tip got you on the right path. I got hung up trying to coax the ubuntu package manager into doing what I wanted and realized that I hadn't gotten back to it.
If you're still stuck, I'm happy to dig into it tomorrow.
Copy link to clipboard
Copied
If you're on Linux and have a system version of Flash Player installed, there are some simple hacks you can do to get it running in a browser by circumventing the timebomb. This is obviously massively insecure, so I wouldn't use this trick for random Flash executables, only with your own software you created and only as a stop-gap as you work to rewrite it.
There's a package called faketime (https://packages.ubuntu.com/xenial/utils/faketime) which will let you pass whatever time you want to a process you start with it; install with sudo apt install faketime. Then you can download a separate browser to use just with your Flash apps; Pale Moon version 28.16.0 works for sure (https://linux.palemoon.org/) and can be run from a folder without an install. Then simply start the browser using faketime: faketime '2020-12-03 08:15:42' ~/Desktop/palemoon/palemoon
And from there make sure you deny any updates to Flash or the browser you're using, just to make sure it will keep going. Again all this is massively insecure so you should only be using the browser to access apps you wrote yourself as you work to migrate off Flash.
Copy link to clipboard
Copied
If you can use mms.cfg with Enteprise Enablement, that's way better.
The worry that we're really trying to address is the scenario when (because it's when, not if) the malware/ransomware guys find an 0-day in Flash a year or two down the road, and they start pumping out malicious banner ads to cause widespread damage on users that never update.
By limiting that unmaintained Flash Player to loading just stuff that you trust, you're making it much harder for an attacker to deploy malicious content that would actually run. By defeating the time-bomb, you're setting the player to load everything from the open web. An unmaintained Flash Player is not suitable for browsing the open web. That's just misery waiting to happen.
Given that I don't have a better solution in-hand, I don't hate this recommendation (the latest Firefox ESR still supports Flash and is probably a better choice from a browser-security perspective), but please be smart and mitigate your risk. If your configuration doesn't need to browse the web, take measures to ensure that it can't (force Firefox through a local proxy that limits access to your network, use clever routing rules, etc.).
Writing the "sorry you got hacked, nuke your computer, change all your passwords and lock down your credit file" posts are always depressing, especially when it's avoidable.