Preparing for Flash and Office 2010 end-of-life

The imminent end of Microsoft's support for Adobe Flash is a good excuse to see what other end-of-life applications running on your Windows network could leave you vulnerable.

Running software past its end of life introduces risk to your organization. It means you will no longer receive security updates and patches for newly discovered vulnerabilities. Sometimes the business requires that you continue to use an unsupported product. Adobe Flash is a case in point.

Microsoft recently announced plans to phase out Flash support in its operating systems by the end of 2020. As more firms and websites move to HTML5, WebGL, and WebAssembly, the need for Flash has diminished. Microsoft is ending support for Adobe Flash Player on Microsoft Edge (both the new Microsoft Edge and Microsoft Edge Legacy) and Internet Explorer 11.

In fall 2020, an “Update for Removal of Adobe Flash Player” will be available via Microsoft Update Catalog, Windows Update and WSUS that permanently removes Adobe Flash Player as a component of Windows OS devices.

Secure options for using Flash past Windows end of support

If your enterprise relies on Flash, what are your options? Adobe is working with licensing partner Harman to provide enterprises with support and security options for Flash. Among the options is the ability to create a list of approved domains that Flash may run.

Starting with the June 2020 release of Flash, you can configure Flash player to allow content only from a list of allowed URLs you trust and block all other content. Allowed content will continue to work on your system past the end-of-life deadline but is not recommended and should be done only as a last resort. Attackers will look for Flash and try to exploit it. The June release also provides logging capabilities to determine what Flash content is being used by client systems. Enterprise enablement allows you to turn on preferences such as AllowListPreview, TraceOutputEcho, EnableAllowList and AllowListRootMovieOnly.

You may wish to block the end-of-life notifications that will begin in the latter half of 2020. As noted in the Flash administration guide, you can set the properties in the mms.cfg to disable the prompt. Either set AutoUpdateDisable = 1 or add the value of EOLUninstallDisable = 1. The file is located at C:\Windows\SysWOW64\Macromed\Flash\mms.cfg for 64-bit installations and C:\Windows\System32\Macromed\Flash\mms.cfg.

bradley endlife 1 Susan Bradley

Location of mms.cfg

In the new release of Microsoft Edge (Chromium), Flash is disabled by default. If you need to enable it, go to “Settings” and “more > Settings”. In the left navigation, select “Site permissions” and then”Adobe Flash”. Set the toggle on for the “Ask before running Flash” option.

You can proactively disable Flash now in your Windows 10 Edge deployments to ensure that no one can use it. Review your Group Policy settings to ensure you have the proper ADM template deployed. Download the templates from the Microsoft website and deploy them into your Group Policy central store. In the Edge Group Policy setting for “Allow Adobe Flash”, set the value to disabled to block Flash on Windows 10.

bradley endlife 2 Susan Bradley

Edge Group Policy settings

Other Windows applications reaching end of life

The Center for Internet Security (CIS) posts a list of software that is nearing its end of life. Use the list to track software that is coming to its end of life. Past reports include October 2019, December 2019, February 2020, March 2020 and June 2020. As noted in the CISA tips on patching software, using unsupported software risks having vulnerabilities that can’t be fixed. It can also cause software compatibility issues as well as decreased system performance and productivity.

It’s recommended that you stop using software that is no longer supported. At a minimum, isolate end of life software products and block their ability to access the internet or interact with systems that connect with the web.

For those of you still running Office 2010, be aware that as of October 13, 2020, Office 2010 will no longer receive security updates. Microsoft indicates that the following Office applications will no longer be patched:

  • Access 2010
  • Dynamics GP 2010
  • Excel 2010
  • Excel Mobile 2010
  • Exchange Server 2010 (all editions)
  • FAST Search Server 2010 (all editions)
  • Groove Server 2010
  • Office 2010 (all editions)
  • OneNote 2010
  • PowerPoint 2010
  • Project 2010
  • Publisher 2010
  • Search Server 2010
  • System Center Data Protection Manager 2010
  • System Center Essentials 2010
  • Visio 2010 (all editions)
  • Word 2010
  • Windows Embedded Standard 7
  • Office 2016 for Mac (all editions)
  • Excel 2016 for Mac
  • Outlook 2016 for Mac
  • PowerPoint 2016 for Mac
  • Word 2016 for Mac

If you use any of these platforms, plan on migrating away from them as soon as possible. Office is risky to run after it’s been placed into end of life and will no longer be patched. Attackers often use Office to gain more access to a system. Office typically has at least one remote code execution every month. September 2020’s security updates fixed 13 vulnerabilities that could enable remote attackers to execute arbitrary code on vulnerable systems. Office 2010 will not offer the ability to purchase extended support.

Exploiting those vulnerabilities would usually require opening a specially crafted file. If you use Outlook, or any mail program that shows previews for attachments, this could happen even without user interaction. Just viewing the email (with preview) could trigger an exploit. If you consider using Office 2010 after October, understand that your risk level will slowly but steadily grow, as more and more vulnerabilities will be discovered in the product.

Take the time to review your organization for any out of date or soon to be out of date software. Examine your options and review what risks you face from the software you are running on your systems.

Copyright © 2020 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.