Locked

Are stand-alone Flash Player versions secure?

New Here ,
Jan 28, 2019 Jan 28, 2019

Copy link to clipboard

Copied

Hi everyone,

We're in the process of planning for Flash's retirement in 2020. Our Physics department has some old resources that are flash-based - it's a collection of interactive .swf files that have an exe file as a front end. The exe is based on an old version of Flash Player.

Is it safe to use this software as it's offline? Or should we phase it out in parallel with Adobe phasing out Flash player plug-ins etc?

Thanks,

Tim

Views

343

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Adobe Employee , Jan 28, 2019 Jan 28, 2019
There is going to be a lot of content in existence that will remain useful and relevant after Flash Player arrives at its end of life.  There are well-established techniques for preserving and isolating legacy software in modern environments (Citrix Receiver, etc.).Flash Player, like the browser and operating system, is tasked with processing untrusted content.  Limiting it's use to processing trusted content is definitely a valid risk-mitigation strategy.How strictly you want to isolate Flash r...

Likes

Translate

Translate
Most Valuable Participant ,
Jan 28, 2019 Jan 28, 2019

Copy link to clipboard

Copied

It's not safe if you use it for resources you did not prepare or do not trust.  All Flash Player vulnerabilities are based on carefully made SWF files which exploit weaknesses.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Jan 28, 2019 Jan 28, 2019

Copy link to clipboard

Copied

LATEST

There is going to be a lot of content in existence that will remain useful and relevant after Flash Player arrives at its end of life.  There are well-established techniques for preserving and isolating legacy software in modern environments (Citrix Receiver, etc.).

Flash Player, like the browser and operating system, is tasked with processing untrusted content.  Limiting it's use to processing trusted content is definitely a valid risk-mitigation strategy.

How strictly you want to isolate Flash really depends on your circumstances, available resources and your environment.  There are plenty of Java applets still floating around the world's Math departments, which suffer from the same core set of issues and browser restrictions.  (They're also PAINFUL to use in 2018)

I'd also wonder about the long-term viability of that application on Windows 10.  If it's a really old copy of the Flash projector, it's pretty cool that it's survived all of the API deprecations that happened between Windows 8 and Windows 10.  It it was Mac, it would most certainly be broken, and while Windows is more conservative than Apple about API deprecations and backward-compatibility in general, those changes can and do happen in all operating systems.  Part of what we do over here on a day-to-day basis is ensure that this 20-year-old software package continues to work on modern operating systems and browsers.

If it were me, I'd probably offer students the application on a virtualized, ephemeral Citrix instance.  It doesn't even really need network access.  That's probably way overkill given the already-limited threat surface, but you're looking for guarantees.  If the machine gets popped, it's state doesn't persist beyond the user session, and limiting the access of that particular host reduces the risk of an attacker pivoting on your network from the compromised host down to near-zero.

From a general headache and help-desk perspective, if you have the option to migrate your learning materials to native web platform technologies (HTML5 and JavaScript), that's going to give you the best user-experience with the lowest number of helpdesk calls, and you're not spending effort figuring out how to maintain and secure a legacy environment.  If it's just a matter of the department not spending the money for an existing upgraded set of content, you might be well-served by conducting a cost analysis, as maintaining the status-quo will certainly not be free.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines