Adobe, the maker of the once-ubiquitous Flash Player, has removed all Flash components in the latest release of its Reader and Acrobat PDF products ahead of Flash’s official death in December 2020.
The company’s update also contains patches for several critical security flaws that should make the November release imperative for admins to install.
The removal of various Flash components in the Reader and Acrobat November 2020 Release – DC Continuous, Acrobat 2020, and Acrobat 2017 – are listed as this release’s “top new features”.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Adobe notes that Flash is now deprecated and no longer used in its Acrobat DC desktop app. Previously, there were options or a button in Acrobat to collect user responses from a forms file that relied on Flash, such as Update, Filter, Export (All/Selected), Archive (All/Selected), Add, and Delete.
Adobe says the Flash-dependent forms options have been replaced with a ‘secondary toolbar’ containing action buttons to Update, Add, Delete, Export, and Archive those Form responses.
Additionally, Adobe’s PDFMaker menu in Microsoft’s Word and PowerPoint apps no longer have the Insert Media button, which previously allowed Office users to embed Flash content in documents.
“By default, Microsoft has disabled the ability to add Flash or Rich media content in the Office documents. If your document already has flash content embedded in it, Acrobat prevents embedding of Flash or Rich media in the converted PDF file and adds an image instead,” Adobe notes.
“If you have enabled the Flash content in Microsoft documents, Acrobat adds a blank box in the converted PDF file.”
The removals are part of the industry-wide effort to eliminate Flash from mainstream browsers by end of this year. Adobe, Apple, Facebook, Google, and Mozilla in 2017 announced they would end support for Flash in their browsers by December 2020.
Microsoft in October released an update for all supported versions of Windows that permanently removes Flash from the operating system. It released the Flash-killing update to let admins test the impact of no Flash on business applications.
The security component of the new update addresses three critical memory-related flaws that if exploited “could lead to arbitrary code execution”, according to Adobe.
These include a heap-based buffer overflow, CVE-2020-24435, an out-of-bounds write, CVE-2020-24436, and a use-after-free vulnerability, CVE-2020-24430 and CVE-2020-24437.