On January 12th shortly after 8:15 a.m. local time, computers began to malfunction at the Dalian train depot in northeast China. Dispatcher browsers did not load train schedule details. Six hours later, the dispatchers also lost the ability to print train data from the web app. According to the deposit account on Weibo and WeChat, and a follow-up post a couple of days later, the system flashed for 20 hours before IT staff finally stabilized it. The culprit seems to have been a seismic, but not unforeseen, change on the Internet: the death of Adobe Flash Player.
When 2020 was over, Adobe ended up supporting its infamous multimedia and multimedia platform. On January 12, Adobe took things a step further, causing a destruction switch that it had been distributing to Flash updates for months that prevents content from running on the player, essentially making the software not work. The company had warned about the transition for years, while browsers like Chrome and Firefox gradually pushed users toward other standards. Apple spent a full decade trying to sideline Flash web developers. But organizations like Dalian Depot did not get the grade. Frantic employees ended up hacking older versions of the software, even modifying them to run on all different versions of Windows to stabilize the system.
“More than twenty hours of struggle. No one complained. No one gave up. By solving the Flash problem, we turned the vision of hope into the fuel for advancement, ”officials wrote in a post mortem, as translated by journalist Tony Lin.
The Dalian Depot incident speaks to the reality that Flash is not yet dead and will remain intact – and sometimes unknowingly – on networks around the world. Mainland China is the only region in the world where Flash will still be officially available through a distributor with which Adobe partnered in 2018. But some users have complained about issues with the dedicated Chinese version of the program and have found solutions to continue using the usual edition version.
After decades of abuse by hackers, particularly those running “mis-advertising” advertising schemes, Flash installations, whether forgotten or intentionally maintained, could expose networks for years to come. After all, recently updated software versions do not have the kill switch. And because Adobe no longer supports the software, there will be no security patches for new Flash vulnerabilities that come to light.
“Flash Player can stay on your system unless you uninstall it,” Adobe says in a more frequently asked question. “Adobe has blocked Flash content in Flash Player as of January 12, 2021, and major browser vendors have disabled and will continue to disable Flash Player after the EOL date.”
In October, Microsoft also released an optional update for Windows 8 and later that removes the built-in version of Flash from the operating system.
Despite this cross-platform strategy, however, some facilities will persist. In addition to the risk of organizations not updating their software, the latest version of Adobe Flash included a special enterprise feature that allows network administrators to basically override the kill switch and place Flash features on a list of “to allow”. “Any use of the domain-level permission list … is strongly discouraged, will not be compatible with Adobe, and is entirely at the user’s own risk,” the company states.
Even organizations that uninstall desktop Flash will also have to worry about browser versions if they don’t update them regularly. For systems that don’t get updates easily or not, these two Flash Player locations can mean twice as much exposure.