In our company we have a Flex/Flash application running in web browsers. It's not public, it's only used in our Intranet.
I've read "Adobe Flash Player EOL Enterprise Information Page" and I've also read Adobe Flash Player Administration guide.
My question is: if we put our Intranet URL into the whitelist in file "mms.cfg", what will happen after December 2020?
Will we be able to run the application (at our own risk) in any web browser? I'm doubting about this, as I've read browser sites and for example Chrome is going to block Flash Player in January 2021 [Flash Player blocked as "out of date" (Target: All Chrome versions - Jan 2021)].
Will we be able to run the application in an old version of any web browser?
What I mean is: what's the point of Flash Player whitelist if web browsers are going to block it anyway in January 2021. Or did I miss anything?
Can you help me to understand all this?
Thanks in advance.
The point of Flash Player whitelists, I guess, is that Adobe won't stand in the way of unwise schemes to use out of date or non mainstream browsers to keep running stuff. But you have to go to some effort to show you understand the risks.
The optimal solution is to migrate to technologies that don't use Flash before the end of the year.
For enterprises that absolutely must run Flash Player beyond the end-of-life date, they can work with our technology partner Harman to license a solution that will meet their needs. If you absolutely must use Flash Player in your organization after EOL, this is the best option.
You can find more about that program here: https://services.harman.com/partners/adobe
Where that's simply not feasible, the whitelist option allows administrators to reduce the attack surface by restricting Flash Player to only loading content from a whitelist; however, simply setting some whitelist options and walking away is not a great plan (nor is it likely to be sufficient, depending on what browser(s) your company uses).
There's a whole industry built around running legacy software securely in enterprise environments. To do it well requires careful thought, engineering and money. Virtualization solutions for creating isolated, ephemeral desktop environments that expose specific internal applications to modern clients come to mind. The whitelist options provide some additional tools to engineers trying to solve these types of problems for their specific applications. They are not a panacea, nor are they a substitute for following the important security best-practice of running current, actively maintained software. Configured thoughtfully, they may help to reduce the attack surface for enterprises that are simply not able to remove their dependencies on Flash Player in the short term.
Can jeromiec83223024 or other Adobe employee/user answer to the questions I posed in my previous comment?
Thanks a lot.
Thanks a lot for your answers. I agree that migrating to other technology is the optimal solution but it's a big application highly customized and with internal developments based on Flex. Unfortunately we won't end doing this by January 2021.
So, with this scenario, we are evaluating options. Harman's packaged browser solution sounds like a good one to me, and we'll contact them for getting a trial and pricing.
Regarding browsers and Flash Player whitelist: if I understood well, even if we put our application URL in whitelist, it won't work in Chrome/Firefox/Edge in January 2021, because these browsers are going to block Flash Player 100% after December 2020. Am I right?
What about these browser versions and Flash Player whitelist in January 2021? Can you confirm if they would be able to run a Flash application in 2021?
- Old Chrome/Firefox/Edge version + Flash player whitelist, making sure that browsers won't update.
- Non mainstream browser (e.g. one based in Chromium, but not Chrome) + Flash player whitelist.
- We have also tried "translating" our web application to Air Desktop application, but it requires installing Flash Player in order to run. Would this work in January 2021 with/without whitelist? I've also read that Windows will remove Flash Player via Windows Update.
I hope jeromiec83223024 or other Adobe employee/user can answer to all these questions and clarify this topic in order to make a decission. As I said Harman sounds good but depending on the performance and pricing maybe we have to create an isolated environment.
Thanks in advance.
I have the same problem. Do you have any answer from Adobe employee?
Unfortunately, nobody answered to my last comment. Maybe you can try creating a separate thread with these doubts.
You can also take a look to Harman packaged browser solution, and Flash Player licensing options:
Sorry about that. Apparently I'm not getting email notifications from forum posts, or they're getting filtered out.
Yeah, your sense is correct. The allowList feature is about enabling sysadmins to reduce their attack surface by limiting the domains that Flash Player will load content from. It's not going to help you in a scenario where the browser's plug-in APIs go away. It's really there to help you lock down an isolated environment where you need to run an old browser and Flash combination while you work on a long-term migration effort.
A link to the official EOL statement follows. It links off to the official roadmaps to each of the major browser vendors, which detail their timelines for removing Flash support. https://theblog.adobe.com/adobe-flash-update
If it were me, and I was going the isolated environment route, I'd probably approach this by exposing an ephemeral machine instance to my users via Citrix that was pinned to an old browser and Flash combination. That's a well-worn path for legacy intranet applications (particularly for applications that depended on proprietary IE behaviors in older Windows ersions).
For Adobe AIR (which is also EOL - Harman is maintaining the current SDKs), you don't need Flash Player installed. If you're trying to use badge install (having users install the application from an embedded installer on a webpage), that leverages Flash Player to kick off the AIR application install process, but it's not strictly necessary. You can just have users download the AIR installer and run it manually. You can also use AIR to generate a "captive runtime" application, which is just a standalone .exe without a dependency on the AIR shared runtime being installed. I think most people use captive runtime these days, especially on mobile.
Read this in july but forgot to say: thanks for your detailed answer!
Hello, i am from Argentia I found a way to use flash player applications inside electron app in order to run a swf, this app could be installer using electron-builder in windows, mac, or linux.
I already test my application made in electron it running today ok, change my date to 23-01-2021 and is running. but I have to use the version 31 of pepper flash player. This file is inside the installer package, builded by electron-build. Just to avoid version collitions.
Let my know if you need some help i can share my code is very small, is just to run an electron app and open a WindowBrowser.
This is a workarround, just for a short time, I dont have the propper budget to migrate in this yerar the whole flex application.
Embedding Flash Player inside any app requires a Flash Player distribution license.
Yes i am using Pepper flash player. It is working good.
To be clear, this violates our EULA. If you want to distribute Flash Player in an application, you would need to acquire a distribution license granting you the permission to do that.
Hola como andas? Yo soy también de argentina y tengo el mismo problema. Encontré una solución que hasta ahora tiene buena pinta. Mi correo es [moderator: deleted personal information as per forums policy]. si querés podemos encontrar algina solución combinada .
Hi Mariano, what did you do?
are yo using webAPP? or desktop?
[moderator: deleted personal information as per forums policy]
Thank you for your help.
I have some custom applications which already developed in Flash builder and our applications will run on the server with swf files.
I am seriously worrying that what will happen after Jan 1 20201?
Could you please help me that how to over come to this problem to make sure to run our flex solution?
Could you please provide me if any suggestions and code?
Let us suppose your users need Flash Player. It depends what you deploy. Is it an SWF? If so, that's easy to answer, they will stop working for most users. The server is not the issues, clients will no longer run Flash Player. "Could you please provide me if any suggestions and code?" There is no magic solution. Three years were given for projects to be remade, often from the start. You have only 5 weeks left.
In a blog post:
Microsoft states third-party provided Flash Player versions (like the HARMAN one) will work in IE 11 & in Microsoft Edge IE mode.
This is a serious issue for us, as we have some legacy hardware which is configured via flash web UI. You know, it's more than just web servers that have web interfaces. We've already had no end of trouble with deprecated SSL algorithms. Running a dedicated machine is not a workable solution as old versions of the OS and Browser become unavailable. New operating systems no longer run older web browsers. Old operating system don't work on new hardware. Old hardware breaks and is difficult to find. We can't ask any of our vendors if they could supply or repair such an old PC because the answer is always no. I've been down this path quite a few times. thank you.
I develop an envelop to run my swf application.
I use electrón to run the swf file.
For enterprises that are dependent on Flash Player, there are a couple options available to keep legacy applications alive.
Technical details can be found in the Flash Player Admin Guide, including Enterprise enablement feature:
Original end-of-life announcement, from July 2017 and general FAQ:
how could you end it like that when I am in school flash games were the only things that keep me sane enough to be around people so thanks flash for ruing my life [rude remarks removed by moderator.]