1 October 2020

UK NCSC to admins: Do not disable app and browser updates to continue to use Adobe Flash Player past its EOL


UK NCSC to admins: Do not disable app and browser updates to continue to use Adobe Flash Player past its EOL

UK’s National Cyber Security Centre (NCSC) has issued a warning alerting users and system administrators to the risks of using the Adobe Flash Player plugin once the software has reached its end-of-life (EOL) date set to December 31, 2020.

As the cyber security agency explains, Flash Player is plagued by more than 100 recognized vulnerabilities, including critical bugs disclosed as recently as June 2020. By exploiting these flaws attackers could compromise targets via adverts or distribute ransomware.

“Vulnerabilities in Flash are concerning, but from next year, such vulnerabilities could remain unpatched indefinitely, just waiting to be exploited. At that point, reliance on Flash Player could be disastrous,” the agency warns.

One of the main NCSC’s concerns is that enterprise and other networks that rely on legacy web apps and desktop software will continue to use Flash to display multimedia content or support features like file uploads, file explorers, loading screens, and so on. The fear is that in order to do this some system administrators would disable update mechanisms in these applications or web browsers to allow users to use these apps.

“Just to be clear: You should not disable browser and/or platform updates as a way of continuing to use Adobe Flash Player after 2020,” the agency said.

“Instead, we encourage you to work alongside your suppliers to remove Flash dependencies. Any vendors that are unwilling, or unable, to do this should, themselves, be considered risky,” the NCSC added.

In June, Adobe itself recommended users to uninstall Flash Player before the EOL date.

Back to the list

Latest Posts

Vulnerability summary for the week: October 23, 2020

Vulnerability summary for the week: October 23, 2020

A weekly vulnerability digest.
23 October 2020
Coronavirus vaccine-maker Dr. Reddis shuts down operations following a cyber-attack

Coronavirus vaccine-maker Dr. Reddis shuts down operations following a cyber-attack

The company suffered a “mega data breach,” which led to the closure of key units across the UK, the US, Brazil, India, and Russia.
23 October 2020
Energetic Bear APT targets US governments, avaition networks

Energetic Bear APT targets US governments, avaition networks

The hackers are using Windows Netlogon vulnerability to obtain access to Windows Active Directory (AD) servers and elevate privileges.
23 October 2020