Flash is dead—but South Africa didn’t get the memo
Adobe announced a timeline for the final death of Flash more than three years ago, with the elderly plugin slated to leave support in December 2020 and be actively blocked from functioning as of January 12, 2021. As of today, the majority of SARS’ online filing system has been migrated to HTML5—but there are still a few languishing holdouts with no HTML5 version in sight. SARS’ new “browser” is a stopgap that allows South African taxpayers and traders access to the remaining forms in the meantime.
You are please requested to use the SARS browser should access to the forms not yet migrated be required, which include:
RAV01 Registration, Amendments and Verification Form TDC01 Transfer Duty IT3-01 Financial Certificate Information IT3-02 Financial Declaration TCR01 Tax compliance Status Request DTR01 Dividends Tax Transactions Information WTI Withholding Tax on Interest
Please note that the SARS Browser will require software to be installed on your PC and is currently compatible with Windows devices only.
As noted above, the SARS browser is only available for Windows PCs—South African Mac or Linux users will either need to find a Windows PC, resort to filing their returns by paper, or find some other way to get a working Flash browser plugin.
It gets worse
There are no simple, easy, correct answers to getting Flash working in a modern browser. In the immortal words of many a Star Trek episode, it’s dead, Jim, and shouldn’t be revived. The most recently released (and therefore least-vulnerable) versions of Adobe Flash have a built-in “poison pill” that causes them to cease working as of January 12, 2021, whether or not they’re installed and enabled in a Web browser.
In order to bypass this problem, the SARS browser seems to have been built from Chromium v85.0.4183.121, which was released in September. South African citizen and self-described “Hacker Coder Guy” @HypnInfoSec dug into the SARS browser release and discovered the Chromium version, along with a few other details about the package’s development.
There’s a file named
securityreport.bat bundled into the SARS browser’s installation directory. When executed, the batch file installs and runs Electronegativity—a misconfiguration/security problem discovery tool for Electron—against the SARS browser.
As @HypnInfoSec notes, it’s great that the authors were at least thinking about security, but the actual report the tool generates is pretty grim. Electronegativity reported 32 issues with the code, most of which have security of
HIGH as well as likelihood of
FIRM or even
SARS from Russia?
One might be tempted to hand-wave the potential security issues flagged by Electronegativity—after all, the SARS “browser” is locked into a sort of kiosk mode intended to prevent it from accessing anything but the SARS e-filing website. @HypnInfoSec discovered another unsettling clue in the included
changelog.txt file installed with the browser, however: it doesn’t appear to have been built in South Africa at all.
The five developers named in
changelog.txt are Maxim Andreyanov, Andrey Morenkov, Egor Levichev, Alexey Korolev, and Sergey Kashin. While it is, of course, entirely possible that a South African development firm assigned a team consisting solely of developers with Russian names to this project, that seems unlikely. Rudimentary searching on all five names leads to Moscow-based professional software developers with experience in the telecom industry.
If you don’t like the look of the SARS browser—or if you need to run Flash content outside the SARS e-filing website—you still might not be entirely out of luck.
While the Adobe Flash plugin itself is not only deprecated but actively suicidal, there’s a Flash emulator built in Rust called Ruffle. Ruffle is an open source, volunteer-maintained project that implements the majority of Flash functionality.
If you operate a website and want to serve Flash content, you can wrap it in Ruffle and serve it to users with no plugin required. Just put the Ruffle code on your Web server and then include the tag
<script src="https://arstechnica.com/path/to/ruffle/ruffle.js"></script> on any page that serves Flash content. You can also install Ruffle as a plugin on Firefox or Chrome, where it uses WebAssembly to put the pieces together.
We don’t have any South African citizens onboard here at Ars, so we can’t verify whether Ruffle correctly operates the various Web forms on the SARS website. But the odds seem good, since the emulator correctly operates quite a few Web games and animations. Ruffle should mitigate most of Flash’s infamous security issues, since its Rust environment guarantees safe memory management.