Flash is dead—but South Africa didn’t get the memo
February 2, 2021
11         0


Why convert Flash upload forms to Javascript, when you could just contract a couple of Russian dudes to build a custom browser with deprecated, unsafe plugins?
Enlarge / Why convert Flash upload forms to Javascript, when you could just contract a couple of Russian dudes to build a custom browser with deprecated, unsafe plugins?

Aurich Lawson

The South African Revenue Service ran into a big problem this month: Adobe Flash stopped working on January 12, 2021, and the agency (still) hadn’t migrated all of its e-filing forms from Flash to HTML and JavaScript. So to “fix” the issue, SARS decided to release its own, custom browser with a working Flash plugin preinstalled and enabled.

Adobe announced a timeline for the final death of Flash more than three years ago, with the elderly plugin slated to leave support in December 2020 and be actively blocked from functioning as of January 12, 2021. As of today, the majority of SARS’ online filing system has been migrated to HTML5—but there are still a few languishing holdouts with no HTML5 version in sight. SARS’ new “browser” is a stopgap which allows South African taxpayers and traders access to the remaining forms in the meantime.

Behold:

You are please requested to use the SARS browser should access to the forms not yet migrated be required, which include:

RAV01 Registration, Amendments and Verification Form
TDC01 Transfer Duty
IT3-01 Financial Certificate Information
IT3-02 Financial Declaration
TCR01 Tax compliance Status Request
DTR01 Dividends Tax Transactions Information
WTI Withholding Tax on Interest

Please note that the SARS Browser will require software to be installed on your PC and is currently compatible with Windows devices only.

As noted above, the SARS browser is only available for Windows PCs—South African Mac or Linux users will either need to find a Windows PC, resort to filing their returns by paper, or find some other way of getting a working Flash browser plugin.

It gets worse

There are no simple, easy, correct answers to getting Flash working in a modern browser. In the immortal words of many a Star Trek episode, it’s dead, Jim, and shouldn’t be revived. The most recently released (and therefore least-vulnerable) versions of Adobe Flash have a built-in “poison pill” that causes them to cease working as of January 12, 2021, whether or not they’re installed and enabled in a Web browser.

In order to bypass this problem, the SARS browser seems to have been built from Chromium v85.0.4183.121, which was released in September. South African citizen and self-described “Hacker Coder Guy” @HypnInfoSec dug into the SARS browser release and discovered the Chromium version, along with a few other details about the package’s development.

There’s a file named securityreport.bat bundled into the SARS browser’s installation directory. When executed, the batch file installs and runs Electronegativity—a misconfiguration/security problem discovery tool for Electron—against the SARS browser.

As @HypnInfoSec notes, it’s great that the authors were at least thinking about security, but the actual report the tool generates is pretty grim. Electronegativity reported 32 issues with the code, most of which have security of MEDIUM or HIGH as well as likelihood of FIRM or even CERTAIN.

SARS from Russia?

One might be tempted to hand-wave the potential security issues flagged by Electronegativity—after all, the SARS “browser” is locked into a sort of kiosk mode intended to prevent it from accessing anything but the SARS e-filing website. @HypnInfoSec discovered another unsettling clue in the included changelog.txt file installed with the browser, however: it doesn’t appear to have been built in South Africa at all.

The five developers named in changelog.txt are Maxim Andreyanov, Andrey Morenkov, Egor Levichev, Alexey Korolev, and Sergey Kashin. While it’s, of course, entirely possible that a South African development firm assigned a team consisting solely of developers with Russian names to this project, that seems unlikely. Rudimentary searching on all five names leads to Moscow-based professional software developers with experience in the telecom industry.

Possible alternatives

If you don’t like the look of the SARS browser—or if you need to run Flash content outside the SARS e-filing website—you still might not be entirely out of luck.

While the Adobe Flash plugin itself is not only deprecated but actively suicidal, there’s a Flash emulator built in Rust called Ruffle. Ruffle is an open source, volunteer-maintained project which implements the majority of Flash functionality.

If you operate a website and want to serve Flash content, you can wrap it in Ruffle and serve it to users with no plugin required. Just put the Ruffle code on your Web server and then include the tag <script src="https://arstechnica.com/path/to/ruffle/ruffle.js"></script> on any page which serves Flash content. You can also install Ruffle as a plugin on Firefox or Chrome, where it uses WebAssembly to put the pieces together.

We don’t have any South African citizens onboard here at Ars, so we can’t verify whether Ruffle correctly operates the various webforms on the SARS website. But the odds seem good, since the emulator correctly operates quite a few Web games and animations. Ruffle should mitigate most of Flash’s infamous security issues, since its Rust environment guarantees safe memory management.



subscribe for YouMedia Newsletter
0 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

newsletter
subscribe for YouMedia Newsletter
LET'S HANG OUT ON SOCIAL