SARS launches its own Internet browser to solve Flash problems

Speedster

Honorary Master
Joined
May 2, 2006
Messages
12,017
This is so idiotic I don't even know where to begin. This is like saying my car needs new tires. But I can't change my tires now for whatever reason so instead I will build a new road made of rubber, so that I can keep driving on these tires.

The the stupidity. I will not enter a single detail on that web browser.
The good news for you is you'll never have to. But hey, since when has reading been a thing..
Lol. Except that very few people will ever have need of the forms this browser is needed for.
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
38,629
Basic analysis:

Installer is signed by "Harman International Industries, Incorporated".

View attachment 1001222

As is "SARS Efiling.exe" which the installer installs.

It's a custom repack of Chromium 10.1.5 which was released on October 23, 2020, that identifies itself
as Chrome 85
View attachment 1001230

The only included plugin is Flash (HCSFP.dll) 50.0 r0.

View attachment 1001224

The browser doesn't allow navigating to any URL other than sarsefiling.co.za

I'm quite surprised that they managed to find a "fix" within 26 days of Flash expiring, but clearly they had some help from "Harman International Industries".

HARMAN’S SUPPORT PROGRAM FOR ADOBE® FLASH® PLAYER​

Flash Player is installed on hundreds of millions of systems. However, effective end of 2020, Adobe announced the end of Flash Player support and hence this will not be available for download from their website, and browser vendors will update their browsers to remove the Flash Player.

However, several companies have significant Flex and Flash-based applications currently in use, either for internal access by employees or as customer-facing applications. HARMAN's exclusive agreement with Adobe to provide extended licensing and support agreements for enterprise Flash Player means that companies can be offered a further time for migrating their Flash-based application to HTML/JavaScript solutions. HARMAN will offer support and security updates to Adobe Flash Player and can provide solutions until the end of 2023 and beyond.

Apart from enterprise support for the Flash Player, HARMAN also now supports Adobe AIR® SDK which can be used to package and deploy applications that are purely based on SWF content, and is widely used for cross-platform applications and games. See https://airsdk.harman.com for more details.

PACKAGED BROWSER SOLUTION​

Where enterprise applications are a mixture of web (HTML/JavaScript) and Flash (or Flex) content, AIR is unlikely to provide full capabilities and so HARMAN is offering the “Packaged Browser" solution as a customised software product that can be licensed for use beyond end of 2020 and allows an existing Flash-based web application to continue working like before.

The “Packaged Browser" is essentially an application that wraps up a browser engine along with the Flash Player and is locked to your web-based Flash application taking on appropriate branding. It is deployed as a separate application, so it needs to be installed by an end user and accessed as a desktop application. It is like a browser tab without the navigational UI and with a Flash Player isolated from the rest of the system.

This application works by loading in the appropriate browser engine and directing this to the predefined URL that hosts the web-based application. The browser engine then loads the custom version of the Flash Player as provided under license by HARMAN. The web-based application is then displayed as if it were running in a normal web page.

ADOBE SOLUTIONS FOR MOBILE AND DESKTOP PLATFORMS​

HARMAN provides support on behalf of Adobe® for the Adobe AIR® software and the AIR SDK, and extended support for Adobe Flash® Player for enterprise customers. HARMAN's offerings also include consultancy, support and migration services for companies looking to move their applications away from Flash technologies over to HTML5 via solutions such as Angular, Apache Royale and other JavaScript based frameworks.
For the AIR SDK, please visit our dedicated website at https://airsdk.harman.com

...

Drive Uninterrupted Business Outcomes​

Adobe Flash Player will no longer be supported by Adobe or by any standard browsers beyond 2020. However, if the enterprise customers require Flash Player, then HARMAN will be able to offer them a solution that combines the regular Flash Player with customer’s SWF application. This will allow for a useful stop-gap for existing applications to continue to be used with little or no modifications, whilst long term plans for migration away from the Flash content are put into action.

HARMAN also offers alternative deployment and licensing models for Flash Player, for companies wishing to embed Flash Player into their own hardware or software products.

I assume they contacted Adobe who put them in touch with Harman.
 

backstreetboy

Honorary Master
Joined
Jun 15, 2011
Messages
23,040
The good news for you is you'll never have to. But hey, since when has reading been a thing..

Lol. Except that very few people will ever have need of the forms this browser is needed for.
Thought Cius was an CA or somesuch.
 

Phillip_peterson

New Member
Joined
Jan 27, 2021
Messages
2
This shouldn't be such an unsecure browser, the official parnter to take over support for this from Adobe is Harman and this simply looks like the packaged browser solution that they offer specifically to companies in this postion. SARS didn't do anything themselves, they just paid for this: https://services.harman.com/partners/adobe

Probably why their terms of service also reads: "and its use is strictly governed by a license agreement licensing SARS to provide the functionality to its taxpayers and traders"
 

Phillip_peterson

New Member
Joined
Jan 27, 2021
Messages
2
This shouldn't be such an unsecure browser, the official parnter to take over support for this from Adobe is Harman and this simply looks like the packaged browser solution that they offer specifically to companies in this postion. SARS didn't do anything themselves, they just paid for this: https://services.harman.com/partners/adobe

Probably why their terms of service also reads: "and its use is strictly governed by a license agreement licensing SARS to provide the functionality to its taxpayers and traders"
Sorry see someone else said the same, pulled a SARS and rocked up a bit late here
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
26,712
This is so idiotic I don't even know where to begin. This is like saying my car needs new tires. But I can't change my tires now for whatever reason so instead I will build a new road made of rubber, so that I can keep driving on these tires.

The the stupidity. I will not enter a single detail on that web browser.
I don't doubt that it's as safe as flash currently. The issue is its mere existence is putting non-savvy people at risk. Apart from that it's just going to be a strain on resources and system bloat.
 

PsyWulf

Honorary Master
Joined
Nov 22, 2006
Messages
10,840
This shouldn't be such an unsecure browser, the official parnter to take over support for this from Adobe is Harman and this simply looks like the packaged browser solution that they offer specifically to companies in this postion. SARS didn't do anything themselves, they just paid for this: https://services.harman.com/partners/adobe

Probably why their terms of service also reads: "and its use is strictly governed by a license agreement licensing SARS to provide the functionality to its taxpayers and traders"
Good find
 

TheRoDent

Cool Ideas Rep
Joined
Aug 6, 2003
Messages
5,218
This shouldn't be such an unsecure browser, the official parnter to take over support for this from Adobe is Harman and this simply looks like the packaged browser solution that they offer specifically to companies in this postion. SARS didn't do anything themselves, they just paid for this: https://services.harman.com/partners/adobe

Probably why their terms of service also reads: "and its use is strictly governed by a license agreement licensing SARS to provide the functionality to its taxpayers and traders"

Yeah, in all it's a "kludge" workaround, but at least props to them for finding "a" solution. It's not the best, but I think all the drama about it being insecure, etc yada yada yada is much ado about nothing.

Flash didn't suddenly become insecure after December 2020, and it was used by millions of people until it got dropped in the major browsers.

They have a partner that seems intent on providing continued support to enterprise customers under the agreement, and the browser is Chromium -- effectively used by millions around the world.

There are still IBM mainframes and COBOL and RPG/400 running under extended maintenance agreements as well. There are still ATM's running Windows XP under extended corporate support agreements but nobody is losing their underwear about that...
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
38,629
Yeah, in all it's a "kludge" workaround, but at least props to them for finding "a" solution. It's not the best, but I think all the drama about it being insecure, etc yada yada yada is much ado about nothing.

Flash didn't suddenly become insecure after December 2020, and it was used by millions of people until it got dropped in the major browsers.


They have a partner that seems intent on providing continued support to enterprise customers under the agreement, and the browser is Chromium -- effectively used by millions around the world.

There are still IBM mainframes and COBOL and RPG/400 running under extended maintenance agreements as well. There are still ATM's running Windows XP under extended corporate support agreements but nobody is losing their underwear about that...

Flash is vulnerable,


the main purpose behind Harman providing these services it to allow transitional Flash content migration to alternate technologies. I believe this is also what Adobe conveyed in their press release.

Flash was a targeted technology, and now that Harman will assist entities under license to allow end user distribution with Flash content this may become another attack vector, it is an opportunity, especially in a closed ecosystem. An attack on the SARS browser can be orchestrated, however, access is still required where other vulnerabilities apply. This would apply to any other organisation which is in a transitional phase.

I am sure Harman aren't liable. It is an Adobe technology declared EOL and Adobe strongly recommend uninstalling the product. I don't know the terms between Harman and their customers, but organisations who aren't planning to transition may run into consequences.

It isn't simply yada yada yada is much ado about nothing.

Anyway, here is Adobe's enterprise guideline,


Adobe stopped supporting Flash Player beginning December 31, 2020 (“EOL Date”), as previously announced in July 2017. In addition, to help secure users’ systems, Adobe blocked Flash content from running in Flash Player beginning January 12, 2021. Adobe strongly recommends all users immediately uninstall Flash Player to help protect their systems.

For general information on Flash Player’s EOL, please see our general FAQ.

To help our enterprise customers mitigate Flash Player support and security concerns, we are implementing the following features:

Flash content will be blocked

To help secure users’ systems, Adobe blocked Flash content from running in Flash Player beginning January 12, 2021.

Please note, major browser vendors have and will continue to disable Flash Player from running after the EOL Date. Major browser vendor support for Flash Player will vary by browser company. To learn the latest details, please visit the below sites hosted by these major browser vendors:

Commercial support options available

For enterprise customers that need help transitioning their Flash content to other supported technologies or require Flash Player licensing support after the EOL Date, please contact our official distribution licensing partner, HARMAN, for more information about their commercial support offerings.

HARMAN is the official enterprise distributor for Flash Player and enterprises should contact Harman to discuss Flash Player support and Flash Player security updates after the EOL Date. HARMAN has a long-standing history as a Flash partner, maintains knowledge of the Flash Player platform and ecosystem, and is well-positioned to help enterprises through this transition given more than a decade of experience.

Potential services provided by HARMAN may include, but are not limited to:

  • Transitioning Flash content to alternate technologies.
  • Creating custom downloadable applications that will load specified Flash content for end user distribution.
  • Providing updated Flash Player installers that will allow Flash to run with compatible browsers in an internal environment.
Enterprise enablement support

Adobe strongly recommends that customers only use the most secure and up-to-date versions of Flash Player, which will only be supported after the EOL Date from HARMAN. However, enterprise administrators have the option to enable domain-level allow list support via Flash Player configuration files in the latest versions of Flash Player made available by Adobe only on browsers that have not disabled Flash Player. Using this option, enterprise administrators are able to specify the domains where Flash playback is allowed. Full details can be found in our Flash Player Administration guide (see ‘Enterprise Enablement’ section).

Any use of the domain-level allow list after the EOL Date is strongly discouraged, will not be supported by Adobe, and is entirely at the user’s own risk.

Prompting users to uninstall​

Even though many browsers have disabled Flash Player and Adobe blocked Flash content from running in Flash Player beginning January 12, 2021, we began taking additional steps to help secure users' systems by prompting them to uninstall Flash Player starting in October 2020. Please note that Flash Player’s ability to run may be dependent on browser support so please check with the appropriate browser vendor for more details. 

To help secure users’ systems, Adobe strongly recommends removing unused components promptly. However, enterprise administrators can suppress Flash Player uninstall prompts by setting preferences available in the Flash Player configuration files. If you choose to suppress the uninstall prompt, this is entirely at the user’s own risk. Full details on the uninstall prompt settings and uninstalling Flash Player can be found in the Flash Player Administration guide (see ‘Suppressing EOL Uninstall Prompts’ section).

Will Flash Player still work after the EOL Date?

Adobe blocked Flash content from running in Flash Player beginning January 12, 2021 to help secure users’ systems.

This can be overridden by using the domain-level allow list functionality available in Adobe’s latest release of Flash Player.

Any use of the domain-level allow list after the EOL Date is strongly discouraged, will not be supported by Adobe, and is entirely at the user’s own risk. Please see the Flash Player Administration guide (see ‘Enterprise Enablement’ section) for details. We strongly recommend enterprise customers contact our official distribution licensing partner, HARMAN, for more information about commercial support offerings after the EOL Date. After the EOL Date, Adobe will not issue Flash Player updates or security patches.

Which browsers will still load Flash Player after 2020?​

Please note that Flash Player’s ability to run is dependent on browser support so please check with the appropriate browser vendor for more details. To learn the latest details, please visit the below sites hosted by these browser vendors:
Will Adobe make Flash Player available for download after 2020?

No. Adobe will remove Flash Player download pages from its site after the EOL Date. Adobe blocked Flash content from running in Flash Player beginning January 12, 2021. Enterprise customers that need Flash Player support or licensing after the EOL Date should contact our official distribution licensing partner, HARMAN, for more information about commercial support offerings.

UPDATED : January 13th, 2021
 

TheRoDent

Cool Ideas Rep
Joined
Aug 6, 2003
Messages
5,218
Flash is vulnerable,


the main purpose behind Harman providing these services it to allow transitional Flash content migration to alternate technologies. I believe this is also what Adobe conveyed in their press release.

Flash was a targeted technology, and now that Harman will assist entities under license to allow end user distribution with Flash content this may become another attack vector, it is an opportunity, especially in a closed ecosystem. An attack on the SARS browser can be orchestrated, however, access is still required where other vulnerabilities apply. This would apply to any other organisation which is in a transitional phase.

I am sure Harman aren't liable. It is an Adobe technology declared EOL and Adobe strongly recommend uninstalling the product. I don't know the terms between Harman and their customers, but organisations who aren't planning to transition may run into consequences.

It isn't simply yada yada yada is much ado about nothing.

Anyway, here is Adobe's enterprise guideline,


I don't see how it's more vulnerable than it was before it was announced EOL/2020, when people still enabled for a specific site to do their e-filing. Visiting random sites in Chrome pre-december would ask the user to enable flash, and consider the implications.

Now, we have a sandboxed browser that only allows access to sarsefiling.co.za that has flash enabled.

It's not the best solution, but it's not the worst either considering that it was standard practice to enable flash for sarsefiling before Dec 2020

But I will rephrase my prior comment to say that "flash isn't suddenly MORE vulnerable".

When used on the e-filing site....
 

MachoPants

Expert Member
Joined
Oct 4, 2012
Messages
2,411
Oh well, what do they suggest when you don't own a windows device?
I'd like a reduction on that expense please if I'm forced into windows
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
38,629
I don't see how it's more vulnerable than it was before it was announced EOL/2020, when people still enabled for a specific site to do their e-filing. Visiting random sites in Chrome pre-december would ask the user to enable flash, and consider the implications.

Now, we have a sandboxed browser that only allows access to sarsefiling.co.za that has flash enabled.

It's not the best solution, but it's not the worst either considering that it was standard practice to enable flash for sarsefiling before Dec 2020

But I will rephrase my prior comment to say that "flash isn't suddenly MORE vulnerable".

When used on the e-filing site....

I agree, but the general point I am getting at is that SARS needs to transition. Their sandbox may become victim to a purposed attack vector in the time to come. This interim, or temporary solution, cannot become the new standard. They need a clear vision now; the previous public made known strategy plan was a circus.
 

PsyWulf

Honorary Master
Joined
Nov 22, 2006
Messages
10,840
I don't see how it's more vulnerable than it was before it was announced EOL/2020, when people still enabled for a specific site to do their e-filing. Visiting random sites in Chrome pre-december would ask the user to enable flash, and consider the implications.

Now, we have a sandboxed browser that only allows access to sarsefiling.co.za that has flash enabled.

It's not the best solution, but it's not the worst either considering that it was standard practice to enable flash for sarsefiling before Dec 2020

But I will rephrase my prior comment to say that "flash isn't suddenly MORE vulnerable".

When used on the e-filing site....
Personally I think it adds more of a social-engineering risk than just a technical one,anything needing a suggestion to "download our browser" is likely to be abused easier
 

Fulcrum29

Honorary Master
Joined
Jun 25, 2010
Messages
38,629
Personally I think it adds more of a social-engineering risk than just a technical one,anything needing a suggestion to "download our browser" is likely to be abused easier

For an attack vector, it is quite the possibility. To negate this is simple user training.
 

upup

Executive Member
Joined
Jun 1, 2009
Messages
7,441
These companies that say they are going to discontinue something and then actually stick to the date and don't delay it 5 times before failing to discontinue it are ridiculous. Who does that really...
Send the toi toi team to adobe.
 
Top