Flash in Sandbox for Firefox

Wednesday, February 8, 2012 @ 03:02 PM gHale

Adobe will now be playing in the sandbox.

Flash will now add a sandbox to the version of the player that runs in Firefox. The sandbox should prevent many common exploit techniques against Flash.

Trojan Targets Contractors
Apple Security Fix for OS X
Struggle to Secure Mobile Devices
All Mobile Devices Victimized

The move by Adobe comes about a year after the company added a sandbox to Flash for Google Chrome. Flash, which is the most widely deployed piece of software on the Internet, has been a common attack vector for several years. The attacks in some cases could get around exploit mitigations added by the browser vendors. The sandbox should prevent these types of attacks by not allowing exploits against Flash to break out into the browser itself.

The version of Flash for Firefox that includes a sandbox is now in beta form, and is only available to developers and not end users. The final version should be available for users later this year, Adobe said.

“The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach. Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities. The sandboxed process is restricted with the same job limits and privilege restrictions as the Adobe Reader Protected Mode implementation. Adobe Flash Player Protected Mode for Firefox 4.0 or later will be supported on both Windows Vista and Windows 7,” said Adobe’s Peleus Uhley.

Adobe officials said the introduction of the sandbox in Adobe Reader X, known as Protected Mode, was one of the more important security advances for protecting the company’s users. In the more than 14 months since Reader X released, the company has not seen a single successful public exploit against the application, which is a major change from previous versions of Reader, which were common attack targets, Uhley said.

At last week’s Kaspersky Lab-Threatpost Security Analyst Summit in Cancun, Brad Arkin, the senior director of product security and privacy, said rather than trying to eliminate every possible security bug, Adobe was more interested in making it difficult for attackers to exploit such flaws.

“[Writing a completely secure application] is completely infeasible for the size programs we’re talking about. We’re trying to figure out what sort of mitigations we can put in place that drive up the cost of these exploits,” Arkin said.

One of the methods for accomplishing that is including a sandbox, which can prevent attackers from being able to use a Flash bug to compromise a user’s browser.

Leave a Reply

You must be logged in to post a comment.