SARS still using discontinued Adobe Flash Player despite security risks

The South African Revenue Service (SARS) is still using Adobe Flash Player on its eFiling online portal despite the platform being discontinued at the end of 2020.

This issue came to light after eFiling users complained that they were having issues with forms loading on eFiling, making it impossible for them to attend to their tax obligations.

In a response posted on Facebook, SARS acknowledged that it was aware that certain forms were not loading correctly “due to Adobe Flash”.

“We are currently working on resolving the matter and will advise once the problem has been resolved,” SARS stated.

A subsequent notice said that the discontinuation of Flash Player has impacted a limited set of Adobe forms and declarations on the system.

SARS said it had already “begun the journey” of migrating old Flash Player-enabled forms to HTML5, but that a few forms remained to be modernised.

It recommended that users who are experiencing issues when attempting to access any of the affected forms follow its Browser Compatibility Guidelines for a workaround to enabling Flash Player.

This advice is given despite the fact that Adobe itself has stated the reason Flash Player is no longer supported is that it is outdated and no longer considered secure.

Browser users who continue to run the Adobe Flash Player extension may therefore be at an increased risk of a cyberattack, as there is no guarantee that malicious actors won’t identify additional vulnerabilities that won’t be fixed by Adobe.

Security risks

Cybersecurity and small business expert Hennie Ferreira has slammed SARS for the oversight and said it must have been aware that Adobe would block Flash Player as of 12 January 2021, as it was announced more than three years ago.

“Adobe announced the end of Flash Player in 2017 already as it is susceptible to a variety of security issues, making it a target for cyberattacks,” Ferreira said.

“Yet, when SARS revamped their system in 2019, they continued using Adobe Flash Player,” Ferreira said.

On 2 December 2020, Adobe “strongly recommended that all users immediately uninstall Flash Player to help protect their systems”.

Furthermore, Microsoft also announced that it would no longer provide security updates for Flash Player after December 2020.

Ferreira called on SARS to provide answers for their continued use of Adobe Flash Player.

“In the age of COVID-19, social distancing and remote working, tax practitioners, business owners and members of the public are unable to visit SARS offices and rely heavily on virtual systems to get things done. It seems the whole system has now ground to a halt,” Ferreira said.

“It is unacceptable that we use outdated and insecure technology to run our country’s tax system,” Ferreira said.

Ferreira urged users not to download software claiming to be Flash Player from third-party websites, as it would likely be malware.

SARS comment

In a response to MyBroadband’s question over why it was still using Adobe Flash Player, SARS said that “all technology solutions pose cyber security risks”.

“What is key, is that all users of technology ensure that they subscribe to and implement the latest security measures contained in the latest security patches dependant on the software and hardware being used,” SARS stated.

“From a SARS system perspective every endeavour is made to ensure the highest levels of security which mitigate known risks.”

“All users of technology which includes taxpayers and traders are urged to ensure that their devices have security software and that these are at the latest levels with or without Adobe Flash,” SARS added.

The revenue service noted that the following forms are affected by the issue:

  • Registration (excluding registration for individuals)
  • Transfer Duty
  • Dividends Tax
  • Submission of Financial 3rd Party Data
  • Excise Duties and Levies – Planned for 29 January 2021

SARS said it was committed to migrating these forms to HTML5 in 2021.

“In the interim taxpayers are urged to follow the guidelines as provided and use the Microsoft Edge browser to complete and submit these forms online,” SARS stated.

“Provisional taxpayers who are required to file returns, are assured that they can certainly use eFiling and the SARS MobiApp, which uses HTML5, on or before the deadline 29 January 2021,” SARS added.

Now read: Inside South Africa’s Cybersecurity Hub

Latest news

Partner Content

Show comments


Share this article
SARS still using discontinued Adobe Flash Player despite security risks