On January 12, just after 8:15 am local time, computers began to malfunction at the Dalian Train Operation Depot in northeastern China. The dispatcher’s navigators did not carry the details of the train schedules. Six hours later, dispatchers have also lost the ability to print train data from the web application. According to the Weibo and WeChat deposit account, and a follow-up post a few days later, the system went on and off for 20 hours before the IT team finally stabilized it. The culprit appears to have been a seismic, but not unforeseen, change on the Internet: the death of Adobe Flash Player.
When 2020 came to an end, Adobe completely ended support for its infamous but nostalgic multimedia platform. On January 12, Adobe took a step further, triggering a kill switch that it had been distributing in Flash updates for months that blocks content from running on the player – basically rendering the software inoperable. The company had warned about the transition for years, while browsers like Chrome and Firefox gradually directed users to other standards. Apple spent an entire decade trying to keep web developers from Flash. But organizations like Dalian Depot did not receive the memo. Frantic employees ended up pirating old versions of the software, even modifying them to run on all different versions of Windows to stabilize the system.
“More than twenty hours of fighting. Nobody complained. Nobody gave up. When solving the Flash problem, we transformed the glimpse of hope into fuel for advancement ”, wrote the employees in a post mortem, as translated by journalist Tony Lin.
The Dalian Depot incident shows the reality that Flash is not really dead yet and will remain untouched – and sometimes unbeknownst to anyone – on networks around the world. Mainland China is the only region in the world where Flash will still be officially available through a distributor that Adobe partnered with in 2018. But some users have complained about problems with the dedicated Chinese version of the program and have found alternative solutions to continue using the regular edition version.
After decades of abuse by hackers, especially those who run “malvertising” ad schemes, Flash installations – whether intentionally forgotten or maintained – can expose networks for many years. After all, software versions that have not been updated recently do not have a kill button. And since Adobe no longer supports the software, there will be no security patches for any new vulnerabilities in Flash that surface.
“Flash Player can remain on your system unless you uninstall it,” says Adobe in a FAQ. “Adobe has blocked the execution of Flash content in Flash Player from January 12, 2021, and major browser vendors have disabled and will continue to disable Flash Player from running after the EOL Date. “
In October, Microsoft also released an optional update for Windows 8 and higher that removes the built-in version of Flash in the operating system.
Despite this multifaceted strategy, some installations will persist. In addition to the risk that organizations will not update their software, the latest version of Flash from Adobe included a special corporate feature that allows network administrators to basically replace the delete switch and put Flash functions on a “whitelist” list. “Any use of the domain-level whitelist … is strongly discouraged, will not be supported by Adobe and is entirely at the user’s own risk,” says the company.
Even organizations that uninstall Flash for desktop will also need to worry about browser versions if they don’t update them regularly. For systems that do not receive or cannot receive updates easily, these two Flash Player locations can mean double the exposure.