BARRY COLLINS
Whether they’re trying to make a quick sale or genuinely help users, the firms putting Flash on life support are doing the world no favours
Whether they’re trying to make a quick sale or genuinely help users, the firms putting Flash on life support are doing the world no favours.
So here’s a company confessing to not being security experts while maintaining a life-support machine for a piece of software
Nobody buys the false jeopardy of end-of-life deadlines because there will always be someone offering to resurrect it
Killing off tech is hard – even when you’re the company that controls it. Around 1% of desktop users still run Windows XP and a ridiculous 25% are still on Windows 7, despite both being many years retired. Similarly, Adobe gave Flash the lethal injection at the end of last year, but there are companies desperate to keep Flash breathing.
In January, PC Pro podcast listeners may remember me yakking on about a piece of software called Surpass Viewer, which the Scottish Qualifications Authority (SQA) was recommending pupils install on their computers so that they could carry on taking the Flash-based assessments the exam board had set.
BTL Group, the company behind the Surpass Viewer, insisted it was safe because its bastardised version of the Flash Player was installed in a container and would only open links from trusted sources, such as the SQA’s own site, and not any other Flash content you threw at it. When I asked BTL why its version of Flash (30.0.0.134) dated back to 2018, two major versions and several security updates behind Adobe’s last release, the company didn’t really answer the question, sending over a statement that concluded with the assertion that “we are confident, as are our clients, that our approach is secure”.
The security expert I spoke to disagreed, saying it left “pupils stuck between a rock and a hard place”. Adobe also disagreed, saying that Surpass Viewer was “not authorised by Adobe” and that “you should not use unauthorised versions of Flash Player”. But still these unofficial adaptations roll on.
Recently, I was approached by another company offering Flash beyond the grave. I’m not going to name it because it might result in someone getting the chop, but it’s indicative of the precarious security situation surrounding these Flash tribute acts.
The PR person approached me, pushing the line that its software – which worked in a very similar fashion to BTL’s – was actually good for security. They showed me figures from security firm Kaspersky, revealing thousands of active Flash exploits that are still occurring, and claimed that “while this short-term solution has some limitations with certain Flash features, overall it is considerably more secure”.
That’s interesting, I said, because Adobe claims that unauthorised versions, are a “common source of malware and viruses”. What says your company? Promises of an interview with the CEO were made until the morning of the interview itself, when the PR emailed me with something of a volte-face.
“I’m very sorry but I talked to my team and they have a problem with the security focus… [company name] doesn’t feel (and rightly so) we are qualified to discuss Flash insecurity because it’s a complex topic and we are not security experts (not even Adobe could solve it), even though in [product name] there is an extra layer of security for clients that does in fact make it more secure but, again, it’s a shortterm solution.”
So here’s a company freely confessing to not being security experts while maintaining a life-support machine for a piece of software that’s widely regarded as a security risk. It’s almost as if these companies don’t really know what they’re doing.
The firms providing Flashalikes argue they’re only filling a gap in the market. If there weren’t school kids needing to take Flash-based tests or companies with business-critical Flash apps, nobody would buy their wares. They’re Good Samaritans, helping people in their hour of need.
However, it’s not as if Adobe suddenly decided it was cutting off Flash next Tuesday: it announced in 2017 that it would retire Flash by the end of 2020. It gave companies with Flash apps more than enough notice. Even with the pandemic, there’s no good reason why firms shouldn’t have migrated Flash content to some other format with plenty of time to spare.
The fact is, companies are lazy about migrating from deathrow software. Nobody buys the false jeopardy of end-of-life deadlines because there will always be someone offering to resurrect it – even if that proves to be an security risk. Never underestimate the power of procrastination.
I like to end my columns with a one-paragraph solution, but I don’t have one this time. Like the software that lives on past its sell-by date, this column has failed to arrive at a satisfactory conclusion. Perhaps you can finish it for me? barry@mediabc.co.uk