By July 1, 2018, Microsoft will have blocked their first batch of users from embedding Adobe Flash, Adobe Shockwave, and even Microsoft Silverlight content inside Office 365 files. The policy change will directly affect information workers who use the Insert Object control in the cloud-powered Office 365 productivity suite to embed content using any of the aforementioned file types into their Word documents, Excel spreadsheets, and PowerPoint slide decks.
Microsoft's plan is to block the embedding option inside Office 365 gradually until the option is gone for good by January 2019. If you're an avid user of Flash content embeds into PowerPoint or Excel, then you likely are upset by this move. But there are two good reasons why Microsoft is putting this policy into place:
- Cybersecurity - Microsoft is implementing the restriction on embedded Flash, Shockwave, and Silverlight because those technologies are often used by cybercriminals in exploit campaigns against Office users. Adobe also recognizes this, and has committed to terminate all support for Flash and Shockwave technology by the end of 2020. Although Microsoft hoped their Silverlight technology would be a viable alternative to Adobe Flash and Shockwave, it also became a popular attack vector for hackers. Like Flash, embedded Silverlight code was used to initiate phishing attacks in Office documents. That's part of the reason why Microsoft is also projected end of support for Silverlight in 2021.
- Obsolescence - While it's true that Adobe Flash and Shockwave enjoyed near ubiquity in the 2000s, the world has moved on since then. Adobe Flash video streaming technology is the reason why we have YouTube. Adobe Shockwave enabled software developers to create literally millions of interactive games playable from a web browser. However, the rise of open web standards such as HTML5 made Adobe's popular proprietary technologies (along with Microsoft Sliverlight) obsolete. Daily usage stats released by Google showed Chrome web browser users who've loaded at least one page containing Adobe Flash content went gone down from 80% in 2014 to under 8% in early 2018. For obvious reasons, the overall Flash/Shockwave/Silverlight user base has shrunk over the last five years to levels that made the cost of supporting these content controls in Office 365 too high—and the return on investment too low—for Microsoft to bear.
So, it was inevitable that Microsoft would enact this policy for cloud-based Office 365 users sooner rather than later. What is surprising about this policy is that it doesn't and won't ever affect users of the legacy standalone Office 2016, 2013, or 2010 versions. It also doesn't cover scenarios where these controls are activated outside of Office 365. The most common example of this scenario is the user who inserts a Flash video into a PowerPoint slide via the Insert Online Video feature. In this scenario, the user is inserting an Adobe Flash video using a URL address which is under control of the web browser rather than the PowerPoint app. Embedding a malware-infected Flash video using this method in Office 365 would require the user either being tricked into using a phony URL or just being lazy about finding content on the web for a presentation. The good news is that both of those scenarios can be avoided with some common-sense cybersecurity training.
If your company has Office 365 and relies on embedding Flash, Shockwave, or Silverlight content into Word, Excel, and PowerPoint then you could have only
weeks to come up with a plan before the block comes into effect. Amaxra is uniquely prepared to help companies in this situation as we are a Gold level Microsoft Partner and our consultants are certified cybersecurity experts.
Contact me at Rosalyn.email@example.com or call 425 749 7471 if you have any questions or comments on this blog.