The news that Adobe had set an expiration date for the Flash Media Player was likely greeted in various ways at Web businesses around the world, depending on whether they had already migrated to more modern multimedia platforms.
In some IT departments, the word that Adobe will stop supporting the media player at the end of 2020 means more work to check how many corporate websites and applications still depend on flash and what needs to be done to update them to more modern players.
For the security staff, the end of Flash is very good news indeed. Flash, despite its many updates over the years, remains inherently insecure. The Flash player itself is a nearly irresistible target for hackers, and it provides a wealth of entry points for malware of all sorts. Worse, Flash updates were easily spoofed, tricking end users into installing fake updates that contained malware.
Solving a Flash Problem Will Depend on Each Enterprise
The size of the problem depended on what platform your organization supports. Users of Apple’s iOS, for example, should already know that their devices do not support Flash. Android, on the other hand, used to support Flash in versions 4.0 and below, but Flash support ended with Android version 4.1.
The problem is there are a lot of malware attacks that start with a browser pop-up that announces that the mobile device isn’t running Flash and then asks to install it. But since the device won’t support Flash, what’s actually being done is to install some kind of malware that happens to look just like the Flash installer you’d get from Adobe.
Something similar can happen to the Flash players in Windows and MacOS. Flash is supported in those environments, but these days it’s usually turned off. Just like on Android devices, you’ll see the prompt appear from a pop-up asking to install Flash from some unknown website. If you do, you will be installing malware unless you get the installation directly from Adobe.
But the threat doesn’t end there. Flash apps can make use of legitimate Flash players to install and run malware that can sometimes elude antivirus software. Of course, the Flash player itself was a favorite target for hackers because of its ubiquity and its ability to gain control of computer resources.
Updated Flash Players a Mandate
All of this means that the security staff will need to make sure that your organization, as well as devices that can access the company network, run frequently-updated Flash players.
Or they can solve the whole Flash problem by not allowing Flash on any computer or device that’s able to connect to the company network.
This will require some advance notice to your employees. It will also require you to perform a survey of the websites that your organization actually needs to use to do business.
For most organizations, the list should be a fairly small number of commercial sites, a few news sites and perhaps a couple of social media sites. Ask your employees to make a list of the sites they visit every day, and if necessary, what business purposes the sites serve.
Note that this list is probably a small subset of the sites that your staffers actually visit, since it’s not uncommon for employees to do everything from shopping on Amazon.com to visiting dating sites on company time.
No Reason Security Should Be at Risk
While your personnel policies may allow your staff to do things like shopping, there’s no reason that this activity should risk your organization’s security. That translates into a clear path to eliminate Flash, even if it annoys a few people who spend their lunch hours involved in adult activities.
If you do find instances where a few employees need access to sites that require the use of Flash, perhaps a supplier who has yet to convert, then you can limit the use of Flash to specific business functions and still eliminate it from the other computers and mobile devices with access to your network. While you’re at it, you might want to call the supplier’s IT department to find out their plans for converting away from Flash.
It's likely that the switch away from allowing Flash won’t be too onerous. If you limit mobile devices to those that either run iOS or Android 4.1 and later and also limit the Android devices to using apps obtained from the Google Play store, then those devices won’t be a problem. With desktop computers, you can set a group policy that eliminates the Flash software and doesn’t allow employees to install it.
Once you’re taken those steps, your problems are over, at least for that security issue. However, somebody either in your IT staff or at your web hosting company will still need to convert away from Flash to an open standard such as HTML 5.
While all of this may look like a huge annoyance, it shouldn’t be. If you’ve been following good network hygiene and keeping your machines up to date, it’s possible that all of your work is already done.
But assuming there are still steps you need to take, at least you know what you have to do. You might be surprised at how little your organization relies on Flash and how relatively easy it will be to eliminate the use that's left.