How to keep Enterprise Flash Applications accessible in 2021

Introduction

Neither SAP nor I can give any warranty or support for Adobe Flash and if you repeat any steps  described here, you do this on your own risk.

As Adobe announced, Flash player support will be dismissed end of 2020/beginning of 2021.

If enterprises are running applications based on Adobe Flash, it is strongly recommended to migrate them and disable Adobe Flash Player on all clients, as also security fixes will be discontinued.

For some cases though, there might be no migration options due to several reasons – and in order to continue operations, it will then be necessary to keep Flash Player active for a number of clients.

This blog post shall give an overview about findings and the impacts of the Flash Player End Of Life (EOL), in case you require to continue running Flash-based applications in 2021.

SAP has published Notes regarding different products on this topic covering official information, e.g.:

https://launchpad.support.sap.com/#/notes/2993618

https://launchpad.support.sap.com/#/notes/2905660

https://launchpad.support.sap.com/#/notes/2905488

The company HARMAN is taking over the official role of a distributor for enterprise customers and will deliver maintenance for Adobe Flash.

In case you are insecure, you should rather get in contact with HARMAN.

If you try to keep Flash running on your own, always keep in mind the security risk of running outdated or unpatched software – and secure it in other ways.

Announced facts about end of flash support

• Adobe will stop supporting Flash after December 31st, 2020
• Browser Vendors have announced to remove support for flash plugins and APIs starting early 2021.
  • Chrome/Chromium:  version 88+ will remove flash support January 2021
  • Firefox: version 85 will remove flash support in January 2021
  • Firefox Extended Support Release 78 (supported until June/October 2021) can further be used to run Flash
  • Microsoft has announced to remove Flash with an optional Windows Update from installations and also shut down distribution sources
• Adobe Flash installations have a system-time-controlled “kill switch” that blocks functioning for most clients as of January 12th, 2021
  • This can could be observed by setting a client’s time ahead to a later date prior to Flash EOL
  • Technically the “kill switch” consists of an enforced allow-listing after EOL
• Adobe announced to shut down distribution sources beginning of 2021 which might stop online installers and referencing package distributions (e.g. on Linux) from working

Possible Mitigations

• Install Flash on your machines within year 2020
  • In case you have problems installing flash on your machine, you can acquire full installers for your machine from help page, section “Still having problems”, at least until end of 2020.
  • Update January 22, 2021: Adobe download pages seem inaccessible meanwhile, though I was still able to find trustworthy mirrors for the Flash Player installer
• Apply mms.cfg to disable the “kill switch” in client flash installations, according to Adobe Flash Admin Guide
  • As of January 12th (after EOL), only allow-listed hosts are accessible as the Parameter “EnableAllowList=1” is enforced (page 31).
  • Therefore, you will have to use the configuration file to allow flash usage specified hosts only with parameter “AllowListUrlPattern” – this also helps to reduce security risks of flash usage
•  A Microsoft blog previews that a cumulative update or monthly rollup will remove policies regarding Flash Player as of summer 2021 for Internet Explorer and Microsoft Edge
  • By blocking or not installing the optional KB for removal, it might be possible to continue running flash in Internet Explorer or Edge legacy mode until summer, blocking the announced cumulative update/rollup even further
• Install a browser version that still supports flash and disable automatic browser updates
  • Update January 22, 2021: Firefox ESR 78.6.1 still plays Flash content and is downloadable at Mozilla
• The open source community heavily increased push frequency on flash support, e.g. in Lightspark or Ruffle and might be a solution for a rising number of use cases while not having 100% coverage yet

An example of a working mms.cfg file can e.g. contain the following (replace the AllowListUrlPattern parameters with hosts and ports matching for your scenario):

EOLUninstallDisable=1
SilentAutoUpdateEnable=0
EnableAllowList=1
AutoUpdateDisable=1
ErrorReportingEnable=1
AllowListUrlPattern=https://my-flash-host:8443
AllowListUrlPattern=https://my-flash-host2:8283

Remark: In some older versions of Flash Player, still the deprecated wording is recognised exclusively. Therefore, in case of problems e.g. with older versions of Internet Explorer, you might have to replace EnableAllowList, AllowlistPreview, AllowListUrlPattern by EnableWhitelist, WhitelistPreview, WhitelistUrlPattern.

This is not documented in the Flash Admin Guide.

Location of the file can be derived from Adobe Flash Admin Guide. Examples:

• MacOS: /Library/Application Support/Macromedia
• Windows x86: C:\Windows\System32\Macromed\Flash
• Windows x64: C:\Windows\SysWow64\Macromed\Flash

Update January 22, 2021: The AllowListUrlPattern entries are obligatory for further use. Make sure all your systems are entered here.

I personally tested MacOS and Windows Server 2016 on my machines using the config above with Firefox ESR (version 78.5.0esr) – I cannot guarantee it working in your environment, but I will keep testing and add further information to this blog post.

Internet Explorer still works for me as well – while Chrome and Chromium Edge updated in my environment and are not capable of running flash anymore.

Due to availability and support timeframes, I’d go for both Firefox ESR and Internet Explorer.

Summary

If you need to continue using Browser-Flash applications in 2021, you have a few options to do so.

According to the announced information, for working environments there should not be an impact before January 12th.

1. HARMAN can help you with a supported enterprise distribution of Flash Player as “Packaged Browser” solution
2. If you have got Flash already installed on your machines, it might be sufficient to block updates for one specific browser such as Chrome, Chromium-based browsers (like e.g. the new Microsoft Edge) or Firefox (ESR) and apply an mms.cfg as in the example above
3. If you are using Microsoft Internet Explorer or Edge Legacy mode, make sure to not install or block the Windows updates containing the removal of Flash as well as Flash integration components on the clients where you need to continue running flash. In any case you will have to add an mms.cfg as above

If you have got a working environment, it might be beneficial to save a backup/snapshot of it – in case you need to restore due to a failure or by error installed an update removing functionality.

I will update this blog post with findings that arise in the future, as the current situation is only a preview on the options available.

Changelog:

• January 22, 2021: Added a few more findings and statuses across the guide, fixed allow-list-related statements
• January 29, 2021: Added more precision explaining the “kill switch”
• March 1, 2021: Added remark regarding non-documented, older wording for mms.cfg thanks to Marek’s comment