Games and animation site Newgrounds announced it is working on a way to play Flash content via emulation.
Ruffle is an open source Adobe Flash Player emulator written in Rust. It targets desktop and the web using Web Assembly, so unlike the plugin (which is scheduled for end-of-life in 2020), any security issues would be issues with the web browser itself.
While the creation of new Flash content instead of modern technology seems a Bad Idea, this Soylentil for one would be quite happy to replay some of the classics (which stopped working when the plugin was banned from his system).
[ Ed Note: the source article claims that open source is the reason why there won't be any vulnerabilities: "For anyone who is concerned about Flash's reputation for security - this project is entirely open source and any security issues would be issues with the web browser itself, whereas the traditional Flash plugin was a closed system that created unique opportunities for exploits." - Fnord666]
(Score: 5, Interesting) by takyon on Sunday August 25 2019, @10:12PM (11 children)
Block HTML5 canvas (or javascript), or you will suffer from HTML5 animations or Ruffle flash animations.
But it's a good move for content preservation. Maybe Internet Archive will join in.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Informative) by Anonymous Coward on Sunday August 25 2019, @10:55PM (1 child)
Especially one doomed to oblivion along with the rest of Mozilla.
(Score: 2, Funny) by Anonymous Coward on Sunday August 25 2019, @11:12PM
Your negativity is in violation of Mozilla Code of Conduct. Please apologize.
(Score: 1, Interesting) by Anonymous Coward on Monday August 26 2019, @04:52AM
I've seen a couple of web archivers murmur about getting involved. One reason they like it is that the official flash player has broken old files in the past, so something like this could allow all flash content to be played, even the broken ones. Another is that, as open source, they won't have to worry about it suddenly disappearing or breaking beyond repair. However, based on that I have seen that apparently Rust (or the main toolkit) isn't considered stable, but that might be a matter of perspective.
And two other groups I've seen eyeing this with interest (and how I found out about the above) is the Tool Assisted Speedrun and Real Time Attack communities. Both like it because it makes adding the software they need to do their different approaches much easier than trying to hack them into flash or the browser or wrapping the player. However, both seem to be concerned about the accuracy and how reproducible the output is.
(Score: 2) by driverless on Monday August 26 2019, @05:16AM (5 children)
Uhhhh.... what? This "explanation" for why it's "secure" is almost as dumb as "all our code is written in IBM360 assembly language and if there are any bugs they'll cause an ABEND, therefore our code is bug-free" (that was actually claimed by a UK bank). It's going to have just as many bugs as Flash did, but Flash has had more than two decades of people trying to beat the bugs out of it while Ruffle resets the clock and gets to start with an entirely new set of bugs. If you try and emulate bug-riddled crap, you still end up with bug-riddled crap, even if you do write it in Rust.
(Score: 2) by takyon on Monday August 26 2019, @05:25AM (3 children)
If I'm reading it right, it doesn't require a "plugin". Instead it uses an extension to throw in some JavaScript in place of where the embedded flash would be in HTML pages. Any security issue would be a vulnerability affecting the entire javascript implementation and/or sandbox model of the web browser, so it's not Ruffle's problem to solve.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by driverless on Monday August 26 2019, @05:41AM (2 children)
Sure, but that's the same as the 360 assembly language argument, you can write buggy, insecure code in Javascript as well as any other language. In fact there's entire industries that churn out buggy, unsafe Javascript, and endless CVEs to accompany their work.
(Score: 2) by Pino P on Monday August 26 2019, @02:58PM
The difference is that should an escape be discovered in JavaScript or WebAssembly, the browser publisher has power to fix it in an update. If I recall correctly, the major browser publishers have a better record on sandboxing hygiene than Adobe ever did.
(Score: 0) by Anonymous Coward on Monday August 26 2019, @03:49PM
The difference is that with this solution, there aren't any more browser exploits than there were without it. Since everything is JS/HTML5, any exploits could be done just as well without this tool as with it (by simply using the proper HTML5/JS directly.
(Score: 2) by hendrikboom on Monday August 26 2019, @10:17PM
Well, being in Rust it won't have many memory leaks or free-before-use bugs.
And any exploits in those old games will probably be attacking old bugs, different from the ones in the *new* implementation.
Now we need to figure out how to download these swf files so that they can be divorced from the websites they are on, which websites may not be around next year.
And is there any flash decompiler so we have a hope of figuring out how the old games work in case they need to be patched?
-- hendrik
(Score: 2) by Pino P on Monday August 26 2019, @02:53PM (1 child)
It was indeed an SWF ad for Splunk on the green site that first led me to consider blocking Flash ads, first at the /etc/hosts level and later with click-to-play add-ons. I did so with a clear conscience: any advertiser wanting to reach me could still do so by using a medium other than SWF. But even if you block SWF, HTML5 video, GIF animation, and JavaScript, that still won't save you from autoplaying CSS filmstrips [pineight.com]. Avoiding animation becomes an arms race.
On the other hand, when the green site runs stories about the Flash Player sunset, I almost always see comments to the other extreme. Here's how such anti-preservation comments tend to go:
(Score: 2) by takyon on Monday August 26 2019, @02:59PM
Yikes. Sounds like that commenter needs a hot meal.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]