How to use Flash in 2021
This guide explains how to bypass the ‘kill switch’ in Adobe flash so that it can continue to be used for legacy apps after 12th Jan 2021.
Adobe ended support for Flash at the end of 2020, which frankly is fair enough. Those of us still running some crappy old legacy software that requires Flash, bumped them up the queue of systems to build replacement business cases for, but were largely comfortable that it didn’t really cause much concern in the short term.
However, late last year Adobe announced that they had actually implemented a ‘kill switch’ that would cause existing installs of Flash to simply stop working entirely on 12th of Jan 2021. Panic ensued.
As of today (12th Jan 2021) anyone trying to use their legacy software will see the following icon where their app used to be:
How to fix it
Reading the Flash Player Administrator’s Guide, in a section called: Administration > Enterprise Enablement we find the official solution.
On any device that we want to enable our legacy app on, we need to edit the mms.cfg file that holds the configuration for Flash Player.
This file can be found under:
- /Library/Application Support/Macromedia/mms.cfg on OSX
- C:\Windows\System32\Macromed\Flash\mms.cfg on 32bit Windows OS
- C:\Windows\SysWOW64\Macromed\Flash\mms.cfg on 64bit Windows OS
This file needs to be replaced with the following content:
Obviously, you need to replace http://legacy.app.domain.name:8001/ with the URL of your legacy app.
Once this file is saved, hit refresh in your browser and your legacy web app should load. You do not need to restart the browser (at least not when I tested this on OSX with Firefox) – Flash seems to pick these settings up next time you refresh the page.
This works with the latest version of Flash, so you don’t need to downgrade. It is also reasonably secure as it only enables Flash for specific URLs that you choose, so you don’t have to worry about Dave from accounting’s PC being exposed to any ‘niche’ browsing habits around the seedier corners of the internet…
How does this fix work?
It turns out that the ‘kill switch’ that Adobe is using is actually just to change the default value of the EnableAllowList config flag from the previous default of 0 to the new default of 1.
This config flag has been around for years and allows system administrators to only allow Flash to run on specific URLs. By defaulting this to ON after Jan 12th 2021, they achieve their objective of disabling Flash for most users.
However, if we add any entries to the ‘Allow List’, Flash will continue to run for those URLs!
The AllowListUrlPattern supports all kinds of wildcards and various patterns to match specific URLs and even files. To learn more, take a look at the Flash Administrator’s Guide linked above.
You can test this fix, even before the 12th Jan 2021 by simply setting EnableAllowList to 1 but not adding the appropriate AllowListURLPattern for your legacy web app. This done, if you try to open your legacy web app you will see the big blocking icon shown in the screenshot at the top of this page.
Next add the AllowListURLPattern for your legacy app and save the mms.cfg file. Refresh the page in the browser and t should work fine.
This fix allows Flash to continue to run, disables the prompts to uninstall and disables automatic updates, however, it does not prevent newer browser versions from removing Flash Support. Users who need to access your legacy app will need to use an older version of Chrome or Firefox with automatic updates disabled. The last versions of browsers supporting Flash are:
- Firefox version 84
- Microsoft Edge version 87
- Chrome version 87
It also seems that Microsoft have released a Windows update that will uninstall Flash: Adobe Flash Removal Update for Windows 10 – KB4577586. Sysadmins will probably want to prevent this update from being installed.