Locked

Lab software uses Flash! Urgent!

New Here ,
Feb 03, 2021 Feb 03, 2021

Copy link to clipboard

Copied

My company use software called Chromescope and the version we use is old and requires Flash player. I understand that flash player was set to phase out three years ago and I understand that there is new software that doesn't use flash player that we can eventually get and use (this will take time). Right now, today, I need flash player installed on my computer for my company to work.... every day I am down is costing my comapny 10,000$ and if I can't get this resolved quickly it will severly hurt....

 

I contacted the company that supports us, Waters, and we are in process to get new software and new computers that no longer require this program to run but like I said it will take time. If I can get a version of flash downloaded on my computer I can run my instruments and also my company. If not I am royally F*cked!

 

I am hoping there is something someone can help me do to solve this problem anyting would be appreciated.

Views

217

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct Answer

Adobe Employee , Feb 04, 2021 Feb 04, 2021
Yeah, that's pretty wild.  Good times.    The optimal solution would be to license a maintained version of Flash Player from HARMAN.  That will give you a copy of Flash Player that your organization can use moving forward, and HARMAN is doing the ongoing maintenance to keep Flash updated with security and functional updates.  From an operational headache perspective, it's money well spent.   More details on your options are here, with links to HARMAN's ongoing support offering:  https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html...

Likes

translate

Translate

Translate
Adobe Employee ,
Feb 03, 2021 Feb 03, 2021

Copy link to clipboard

Copied

You'll need to use the Enteprise Enablement features in Flash Player to enable the application to load whatever it needs.

 

You can read more about Enterprise Enablement in the Flash Player admin guide, here: 
https://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide.html

 

Because Flash Player is being used in the context of an application and not a browser, this is *much* easier to do on Windows 7.

 

I wrote this guide up for our enterprsie support folks the other day.  It covers the larger context and should give you everything you need to figure this out.  You'll need to look at the mms.cfg and enterprise enablement sections of the admin guide for specifics on where to put files and whatnot.

 

-----

 

Desktop Applications

 

In the early days of Flash Player, distribution of content on interactive CD-ROMs was common practice. This led to later practices of developers embedding Flash Player in desktop applications (typically by embedding an IE window) for more expressive User Interfaces. Flash remains popular for creating animated UI elements in specific scenarios, like HUD overlays in video games.

 

Ultimately, Adobe AIR (now EOL) became the supported platform for desktop application creation using Flash technology. In general, we’ve been actively discouraging developers from building applications that leverage the system Flash Player in embedded browser windows for the better part of a decade, but we try not to break existing applications.

 

In the context of Enterprise Enablement, depending on how Flash Player is leveraged, the application should be able to read and obey directives in mms.cfg. The challenge is around debugging, particularly on Windows 8 and higher, where the ActiveX installation path is controlled by Microsoft, and neither the latest builds or debugger variants of ActiveX Flash Player are available.

 

Where possible, the easiest way to debug applications that embed the ActiveX Flash Player is to do it on a Win 7 VM, with the debugger installed and configured for file logging (TraceFileOutputEnable=1 in mm.cfg).

Here’s more detail on configuring the debugger:
https://helpx.adobe.com/flash-player/kb/configure-debugger-version-flash-player.html

 

Once configured, you should be able to see the debugging messages when URL requests are blocked by EnableAllowList, just like you would in a browser. Depending on the bit-ness of the application and the version of IE that gets embedded, you may need to put mms.cfg in a different system folder than you would when targeting the browser itself (i.e. C:\Windows\System32 for 64-bit vs C:\Windows\SysWOW64 for 32-bit) folders.

 

In practice, what’s generally happening is that Flash Player requires valid URIs that conform to RFC 3986. In the context of desktop applications, those would most likely be local files, with the expected format of file:///c/users/foo/desktop/bar.jpg.

 

Instead, we’ve been seeing a variety of malformed values getting passed in. These are from a popular open-source project that uses Flash for graphical overlays in broadcast video (news chirons, etc):

 

*** AllowListPreview: AllowList blocks 'C:\Users\labuser\Desktop\CasparCG Server 2.0.7\CasparCG Server\Server\templates\\cg20.fth.pal'. ***

(note both the wrong format and double backslashes)

 

*** AllowListPreview: AllowList blocks 'file:///C|/Users/labuser/Desktop/CasparCG%20Server%202.0.7/CasparCG%20Server/Server/templates//CASPARCG_FLASH_TEMPLATES_EXAMPLE_PACK_1/ADVANCEDTEMPLATE1.ft'. ***

(note the old-school pipe notation for drive letters)

 

In these instances, there’s no way to target them with an AllowListUrlPattern directive, because they fail the URI validity check before we even get to the code that tries to match the pattern.

 

To work around this issue, we added the EnableInsecureAllowListLocalPathMatching directive, which effectively skips the validity checks, allowing AllowListUrlPattern=file:* to match on whatever you throw at it. If the operating system will resolve it, we’ll match it.

 

This opens a whole can of worms in terms of ambiguous URIs, which can lead to things like unexpected network store traversal via UNC path. Requiring RFC-conformant URIs is intended to solve those issues, but it became obvious as we got more input from the field that there was a class of legacy applications that were not passing in valid URIs.

 

Unfortunately, the addition of EnableInsecureAllowListLocalPathMatching landed in the December Flash Player release (32.0.0.465), which was after the last build that Microsoft shipped for Windows 8 and higher. Organizations that require this feature for the ActiveX Flash Player on Windows 8 and higher will need to license a maintained version of Flash Player from HARMAN in order to gain access to it.

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Feb 03, 2021 Feb 03, 2021

Copy link to clipboard

Copied

Thank you for the fast response and the attempt to help. I am the Science Director at my company and if we were speaking organic chemistry then I would be in my element but I have to admit I have some issues following everything you are saying here.

My computer for my specific instrument is a Windows 7 operating system that basically only has Chromescope installed on it. The software has a little animated portion that shows the flow of solvent in the instrument (this is the Flash Player part of the program). I can connect the computer to the internet and download whatever I may need to help if that helps. I hope I am not being demanding by asking for a step by step on how to get any version of Flash Player on that computer to try and run my software. It is amazing that by removing Flash Player our 250,000$ piece of equipment turns into a giant doorstop.... 

Any help would be greatly appreciated!

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Feb 04, 2021 Feb 04, 2021

Copy link to clipboard

Copied

Yeah, that's pretty wild.  Good times. 

 

The optimal solution would be to license a maintained version of Flash Player from HARMAN.  That will give you a copy of Flash Player that your organization can use moving forward, and HARMAN is doing the ongoing maintenance to keep Flash updated with security and functional updates.  From an operational headache perspective, it's money well spent.

 

More details on your options are here, with links to HARMAN's ongoing support offering: 

https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html

 

As a quick and dirty "cross your fingers and hope" solution to get you up and running, you can try this.  It's super permissive and may or may not work.  If it doesn't, you'll need to do the troubleshooting above to figure out what you actually need to allow, and then make the allow rules accordingly.

 

Assuming the application is just loading local Flash assets, just make a text file called mms.cfg and put it in C:\Windows\System32\Macromed\Flash and C:\Windows\SysWOW64\Macromed\Flash

 

It should look like this:

 

 

# Enable the AllowList feature (on by default, but here for good measure)
EnableAllowList=1
# Allow Flash Player to match on non-conforming RFC 3986 URIs 
EnableInsecureAllowListLocalPathMatching=1
# Allow all local files to load
AllowListUrlPattern=file:*
# Allow children of the parent SWF to load anything
AllowListRootMovieOnly=1

 

 

 

At that point, restart your application.  It will either load or it won't. 

 

If it does, great!  It's not the best configuration, and you should -- at your leisure -- take the time to understand the implications and decide whether or not more limited rules would be appropriate for your situation.    

 

If not, you (or one of your IT engineers) is going to have to commit an afternoon to learning more about Flash that you ever wanted to.  Sorry, sincerely.  The instructions above should get you going.  If they don't, send me back the actual log output and your mms.cfg, and I'll try and help.

 

Regardless, you still probably want to talk to HARMAN about licensing the ActiveX Flash Player (and or pressure your equipment OEM to release updated software in the meantime). 

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Feb 11, 2021 Feb 11, 2021

Copy link to clipboard

Copied

Just wondering if you were able to get this sorted.  Thanks!

Likes

translate

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines