Flash as a IT security concern

Good morning everyone!

I'm new to the e-learning content development scene and have been learning a lot from this forum about developing modules for clients. However, I have come across some client requirements that limits certain aspects of development.

Some clients have expressed that they do not want flash in their module due to IT security concerns. Now, we can easily fulfill this request by not using any .swf files at all in the module, and use simple animations, graphics and videos for the module. However, the real issue arises when we publish the file as a scorm package and upload it to the lms. This draws 2 questions.

1) The package itself contains some type of story.swf file, will this affect the IT security requirement in any way? Could we just delete or exclude it?

2) Our team suggested editing the package so that the lms loads the index_lms_html5 file by default. I would prefer not using the html5 format as the animations are not really properly processed and displayed. Would the use of the index_lms file somehow fail the flash requirement?


I know it sounds abit complicated, but if any technical guys or users can relate with this experience do let me know.


8 Replies
Dave Cox

Hi Tommy,

At present, Storyline always publishes the flash files, and there are no provisions to publish without them. 

You can modify your file to always run the HTML5 version only. Here is an article that shows how. You certainly could try to attempt to delete the files, but it may be more trouble than it is worth. The simpler and better method to prevent flash from running on a device is to remove the flash player from the device. It departments can easily accomplish this. If a device does not have the flash player, then the HTML5 content will run, if you published your file with the HTML5 files. If not, then the project will not be able to run.

You also say you would prefer to not use the html5 format. You are either going to have to use the flash format, or the html5 format. 

I believe that most of the security issues have to do with running flash that is set for internet security on your local drive. This is what the new version of Chrome is not blocking. You should still be fine to run flash from a URL, which is how it runs when you run your content from the LMS. 

Dave Cox

Interesting Article Dave. 

While it is true that swf files can be a security concern, not all swf files are security concerns. And no, LMSs do not protect you from this security concern. But like anything, this has to be taken in context. The real security concern is from swf files, and other code files that contain malicious code. This is always going to be a problem. Even if we remove all ability to play flash from our systems, hackers will find a new way to launch attacks. Windows is particularly vulnerable, simply because it is the most widely used OS. 

So what can we do? The most important thing that we can do, is be vigilant. Be careful where you download files from that may contain malicious code. The swf files that come from Articulate and Adobe's software is generally designed for specific training purposes, for a very targeted audience, and placed on controlled servers and LMSs. In general for this to happen in the corporate or university environment, the IT departments are fully aware of this activity, and can help monitor it as part of their overall security plan. This way users can feel confident that training that they take from these LMS systems are safe and will not cause problems for them on their system. So the key here is to be careful where you access sites that contain malware.

So when my users ask if our training packages are safe, I can say with confidence that they can safely access these packages. Flash in itself isn't the problem. It is only those files that intentionally have malware that create the problem. I'm pretty sure that as designers, we are not creating content that contain malware for our users.

Dave Howard

Once again, a learning professional on this forum misses the whole point and gets defensive about Flash.
It's like saying we don't need a measles vaccine because only people with measles are contagious.
Well, you do you. Follow your bliss.

Thank you,

Dave Howard
Instructional Design Supervisor
ESET North America
Office: +1 619-876-5584
Mobile: +1 619-204-6450
610 West Ash St, Suite 1700
San Diego, CA 92101

Dave Cox

Who's getting defensive now? 

There is always risk, in just about anything you do. You always have to be aware of risk, and do what you can to mitigate the risk. That doesn't mean that we should panic and hide our heads in the sand. At the moment, flash is still one of the few tools that we have to do what we need to do. That will probably change in the future, but we still have to develop with what we have today.

As I said earlier, your article was very interesting, and I appreciate your posting it. Still, we have to continue to work with what we have as we strive to get better tools. 

Tommy Yong

Hi everyone,

Thank you so much for the help and replies. I think I have a better understanding of this now and I will definitely try out coding the html files to make them launch html5 version by default. I just wish flash files didn't produce that much concern to clients and we can focus on the e-learning design. Anyway thanks again guys!