January 12 Just after 8:15 a.m. local time, computers began to malfunction at the Dalian Railway Operations Depot in northeast China. The dispatcher’s navigators were not loading the details of the train schedules. Six hours later, dispatchers also lost the ability to print train data from the web application. According to the account of the deposit on Weibo and WeChat, and a follow-up post a few days later, the system flashed for 20 hours before IT staff finally stabilized it. The culprit seems to have been a seismic, but not unforeseen, change on the internet: the death of Adobe Flash Player.
At the end of 2020, Adobe completely ended support for its infamous but nostalgic media platform. On January 12, Adobe took things one step further, triggering a kill switch it had been distributing in Flash updates for months that prevented content from running in the player – essentially rendering the software inoperable. The company had warned against the transition for years, as browsers like Chrome and Firefox gradually pushed users to other standards. Apple has spent a full decade trying to wean web developers off Flash. But organizations like the Dalian Depot did not receive the memo. Frenzied employees ended up hacking older versions of the software and even modifying them to run on all different versions of Windows to stabilize the system.
“More than twenty hours of combat. No one complained. No one gave up. By solving the Flash problem, we turned the glimmer of hope into an engine of progress, ”officials wrote in a post mortem, as translated by reporter Tony Lin.
The Dalian Depot incident is a testament to the reality that The Flash is not really dead yet and will persist intact – and sometimes unbeknownst to anyone – in networks around the world. Mainland China is the only region in the world where Flash will still be officially available via a distributor with which Adobe partnered in 2018. But some users have complained about problems with the dedicated Chinese version of the program and found workarounds to continue using the regular edition.
After decades of abuse by hackers, especially those who run “malicious” adware, Flash installations – whether forgotten or intentionally maintained – could expose networks for years to come. Versions of the software that haven’t been updated recently don’t have the kill switch inside, after all. And since Adobe no longer supports the software, there will be no more security patches for any new Flash vulnerabilities that are discovered.
“Flash Player may remain on your system unless you uninstall it”, Adobe said in an FAQ. “Adobe has blocked Flash content from playing in Flash Player effective January 12, 2021, and major browser vendors have disabled and will continue to disable Flash Player after the end of life date.”
In October, Microsoft also released a optional update for Windows 8 and higher, which removes the built-in version of Flash from the operating system.
Despite this multi-pronged strategy, some installations will persist. In addition to the risk that organizations will not update their software, Adobe’s latest version of Flash included a special enterprise feature that allows network administrators to essentially override the kill switch and put Flash features on a list. “to allow”. “Any use of the permissions list at the domain level … is strongly discouraged, will not be supported by Adobe and is entirely at the user’s own risk,” the company explains. said.
Even organizations that uninstall Flash from desktop will also have to worry about browser versions if they don’t update them regularly. For systems that don’t or can’t receive updates easily, these two Flash Player locations can mean double the exposure.