Games and animation site Newgrounds announced it is working on a way to play Flash content via emulation.
Ruffle is an open source Adobe Flash Player emulator written in Rust. It targets desktop and the web using Web Assembly, so unlike the plugin (which is scheduled for end-of-life in 2020), any security issues would be issues with the web browser itself.
While the creation of new Flash content instead of modern technology seems a Bad Idea, this Soylentil for one would be quite happy to replay some of the classics (which stopped working when the plugin was banned from his system).
[ Ed Note: the source article claims that open source is the reason why there won't be any vulnerabilities: "For anyone who is concerned about Flash's reputation for security - this project is entirely open source and any security issues would be issues with the web browser itself, whereas the traditional Flash plugin was a closed system that created unique opportunities for exploits." - Fnord666]
(Score: 2) by driverless on Monday August 26 2019, @05:16AM (5 children)
Uhhhh.... what? This "explanation" for why it's "secure" is almost as dumb as "all our code is written in IBM360 assembly language and if there are any bugs they'll cause an ABEND, therefore our code is bug-free" (that was actually claimed by a UK bank). It's going to have just as many bugs as Flash did, but Flash has had more than two decades of people trying to beat the bugs out of it while Ruffle resets the clock and gets to start with an entirely new set of bugs. If you try and emulate bug-riddled crap, you still end up with bug-riddled crap, even if you do write it in Rust.
(Score: 2) by takyon on Monday August 26 2019, @05:25AM (3 children)
If I'm reading it right, it doesn't require a "plugin". Instead it uses an extension to throw in some JavaScript in place of where the embedded flash would be in HTML pages. Any security issue would be a vulnerability affecting the entire javascript implementation and/or sandbox model of the web browser, so it's not Ruffle's problem to solve.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Insightful) by driverless on Monday August 26 2019, @05:41AM (2 children)
Sure, but that's the same as the 360 assembly language argument, you can write buggy, insecure code in Javascript as well as any other language. In fact there's entire industries that churn out buggy, unsafe Javascript, and endless CVEs to accompany their work.
(Score: 2) by Pino P on Monday August 26 2019, @02:58PM
The difference is that should an escape be discovered in JavaScript or WebAssembly, the browser publisher has power to fix it in an update. If I recall correctly, the major browser publishers have a better record on sandboxing hygiene than Adobe ever did.
(Score: 0) by Anonymous Coward on Monday August 26 2019, @03:49PM
The difference is that with this solution, there aren't any more browser exploits than there were without it. Since everything is JS/HTML5, any exploits could be done just as well without this tool as with it (by simply using the proper HTML5/JS directly.
(Score: 2) by hendrikboom on Monday August 26 2019, @10:17PM
Well, being in Rust it won't have many memory leaks or free-before-use bugs.
And any exploits in those old games will probably be attacking old bugs, different from the ones in the *new* implementation.
Now we need to figure out how to download these swf files so that they can be divorced from the websites they are on, which websites may not be around next year.
And is there any flash decompiler so we have a hope of figuring out how the old games work in case they need to be patched?
-- hendrik