Flash application in web browsers after End of Life

Report · Jun 12, 2020

Hi,

In our company we have a Flex/Flash application running in web browsers. It's not public, it's only used in our Intranet.

I've read "Adobe Flash Player EOL Enterprise Information Page" and I've also read Adobe Flash Player Administration guide.

https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html

My question is: if we put our Intranet URL into the whitelist in file "mms.cfg", what will happen after December 2020?

Will we be able to run the application (at our own risk) in any web browser? I'm doubting about this, as I've read browser sites and for example Chrome is going to block Flash Player in January 2021 [Flash Player blocked as "out of date" (Target: All Chrome versions - Jan 2021)].

Will we be able to run the application in an old version of any web browser?

What I mean is: what's the point of Flash Player whitelist if web browsers are going to block it anyway in January 2021. Or did I miss anything?

Can you help me to understand all this?

Thanks in advance.

Report · Jun 12, 2020

The point of Flash Player whitelists, I guess, is that Adobe won't stand in the way of unwise schemes to use out of date or non mainstream browsers to keep running stuff. But you have to go to some effort to show you understand the risks.

Report · Jun 12, 2020

The optimal solution is to migrate to technologies that don't use Flash before the end of the year.

For enterprises that absolutely must run Flash Player beyond the end-of-life date, they can work with our technology partner Harman to license a solution that will meet their needs. If you absolutely must use Flash Player in your organization after EOL, this is the best option.

You can find more about that program here: https://services.harman.com/partners/adobe

Where that's simply not feasible, the whitelist option allows administrators to reduce the attack surface by restricting Flash Player to only loading content from a whitelist; however, simply setting some whitelist options and walking away is not a great plan (nor is it likely to be sufficient, depending on what browser(s) your company uses).

There's a whole industry built around running legacy software securely in enterprise environments. To do it well requires careful thought, engineering and money. Virtualization solutions for creating isolated, ephemeral desktop environments that expose specific internal applications to modern clients come to mind. The whitelist options provide some additional tools to engineers trying to solve these types of problems for their specific applications. They are not a panacea, nor are they a substitute for following the important security best-practice of running current, actively maintained software. Configured thoughtfully, they may help to reduce the attack surface for enterprises that are simply not able to remove their dependencies on Flash Player in the short term.

Report · Jun 22, 2020

Hi,

Can jeromiec83223024 or other Adobe employee/user answer to the questions I posed in my previous comment?

Thanks a lot.

Report · Jun 15, 2020

Thanks a lot for your answers. I agree that migrating to other technology is the optimal solution but it's a big application highly customized and with internal developments based on Flex. Unfortunately we won't end doing this by January 2021.

So, with this scenario, we are evaluating options. Harman's packaged browser solution sounds like a good one to me, and we'll contact them for getting a trial and pricing.

Regarding browsers and Flash Player whitelist: if I understood well, even if we put our application URL in whitelist, it won't work in Chrome/Firefox/Edge in January 2021, because these browsers are going to block Flash Player 100% after December 2020. Am I right?

What about these browser versions and Flash Player whitelist in January 2021? Can you confirm if they would be able to run a Flash application in 2021?

- Old Chrome/Firefox/Edge version + Flash player whitelist, making sure that browsers won't update.

- Non mainstream browser (e.g. one based in Chromium, but not Chrome) + Flash player whitelist.

- We have also tried "translating" our web application to Air Desktop application, but it requires installing Flash Player in order to run. Would this work in January 2021 with/without whitelist? I've also read that Windows will remove Flash Player via Windows Update.

I hope jeromiec83223024 or other Adobe employee/user can answer to all these questions and clarify this topic in order to make a decission. As I said Harman sounds good but depending on the performance and pricing maybe we have to create an isolated environment.

Thanks in advance.

Report · Jul 23, 2020

Hi adrian.

I have the same problem. Do you have any answer from Adobe employee?

Report · Jul 23, 2020

Hi alepersan,

Unfortunately, nobody answered to my last comment. Maybe you can try creating a separate thread with these doubts.

You can also take a look to Harman packaged browser solution, and Flash Player licensing options:

https://services.harman.com/partners/adobe

Good luck!

Report · Jul 30, 2020

Sorry about that. Apparently I'm not getting email notifications from forum posts, or they're getting filtered out.

Yeah, your sense is correct. The allowList feature is about enabling sysadmins to reduce their attack surface by limiting the domains that Flash Player will load content from. It's not going to help you in a scenario where the browser's plug-in APIs go away. It's really there to help you lock down an isolated environment where you need to run an old browser and Flash combination while you work on a long-term migration effort.

A link to the official EOL statement follows. It links off to the official roadmaps to each of the major browser vendors, which detail their timelines for removing Flash support. https://theblog.adobe.com/adobe-flash-update

If it were me, and I was going the isolated environment route, I'd probably approach this by exposing an ephemeral machine instance to my users via Citrix that was pinned to an old browser and Flash combination. That's a well-worn path for legacy intranet applications (particularly for applications that depended on proprietary IE behaviors in older Windows ersions).

For Adobe AIR (which is also EOL - Harman is maintaining the current SDKs), you don't need Flash Player installed. If you're trying to use badge install (having users install the application from an embedded installer on a webpage), that leverages Flash Player to kick off the AIR application install process, but it's not strictly necessary. You can just have users download the AIR installer and run it manually. You can also use AIR to generate a "captive runtime" application, which is just a standalone .exe without a dependency on the AIR shared runtime being installed. I think most people use captive runtime these days, especially on mobile.

Report · Nov 25, 2020

Read this in july but forgot to say: thanks for your detailed answer!

Report · Jul 24, 2020

Hello, i am from Argentia I found a way to use flash player applications inside electron app in order to run a swf, this app could be installer using electron-builder in windows, mac, or linux.

I already test my application made in electron it running today ok, change my date to 23-01-2021 and is running. but I have to use the version 31 of pepper flash player. This file is inside the installer package, builded by electron-build. Just to avoid version collitions.

Let my know if you need some help i can share my code is very small, is just to run an electron app and open a WindowBrowser.

This is a workarround, just for a short time, I dont have the propper budget to migrate in this yerar the whole flex application.

Regards

Report · Jul 27, 2020

Embedding Flash Player inside any app requires a Flash Player distribution license.

Report · Jul 30, 2020

Yes i am using Pepper flash player. It is working good.

Report · Sep 22, 2020

To be clear, this violates our EULA. If you want to distribute Flash Player in an application, you would need to acquire a distribution license granting you the permission to do that.

Report · Apr 23, 2021

To be clear, this poster did not say he was distributing any Adobe software. He offered HIS CODE, which Adobe has no rights to and cannot license. The fact that his code works with Pepper doesn't mean Adobe owns it. Yes, I know this is old, but it makes me mad when I see companies trying to lay claim to other people's work.

Report · Sep 16, 2020

Hola como andas? Yo soy también de argentina y tengo el mismo problema. Encontré una solución que hasta ahora tiene buena pinta. Mi correo es [moderator: deleted personal information as per forums policy]. si querés podemos encontrar algina solución combinada .

Report · Sep 17, 2020

Hi Mariano, what did you do?

Report · Sep 17, 2020

are yo using webAPP? or desktop?

Report · Sep 22, 2020

[moderator: deleted personal information as per forums policy]

Report · Nov 24, 2020

HI Sir,

Thank you for your help.

I have some custom applications which already developed in Flash builder and our applications will run on the server with swf files.

I am seriously worrying that what will happen after Jan 1 20201?

Could you please help me that how to over come to this problem to make sure to run our flex solution?

Could you please provide me if any suggestions and code?

Thanks,

Sasidhar.p

Report · Nov 24, 2020

Let us suppose your users need Flash Player. It depends what you deploy. Is it an SWF? If so, that's easy to answer, they will stop working for most users. The server is not the issues, clients will no longer run Flash Player. "Could you please provide me if any suggestions and code?" There is no magic solution. Three years were given for projects to be remade, often from the start. You have only 5 weeks left.

Report · Nov 24, 2020

Hi i find Chrome 49 wich has any flash pluggin that works after 2021. If
You are using intranets without upgrading thats works

Report · Dec 21, 2020

In a blog post:

https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/

Microsoft states third-party provided Flash Player versions (like the HARMAN one) will work in IE 11 & in Microsoft Edge IE mode.

Report · Jan 13, 2021

This is a serious issue for us, as we have some legacy hardware which is configured via flash web UI. You know, it's more than just web servers that have web interfaces. We've already had no end of trouble with deprecated SSL algorithms. Running a dedicated machine is not a workable solution as old versions of the OS and Browser become unavailable. New operating systems no longer run older web browsers. Old operating system don't work on new hardware. Old hardware breaks and is difficult to find. We can't ask any of our vendors if they could supply or repair such an old PC because the answer is always no. I've been down this path quite a few times. thank you.

Report · Jan 14, 2021

I develop an envelop to run my swf application.

I use electrón to run the swf file.

If you need information please contacto me [moderator: personal information removed per forums privacy policy. to contact someone directly, send them a DM]

Regards

Report · Jan 14, 2021

For enterprises that are dependent on Flash Player, there are a couple options available to keep legacy applications alive.

https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html

Technical details can be found in the Flash Player Admin Guide, including Enterprise enablement feature:

https://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

Original end-of-life announcement, from July 2017 and general FAQ:

Flash application in web browsers after End of Life

1 Correct answer