Adobe Launches Sandboxed Flash Player for Firefox, Hopes for Fewer Exploits

[nsane.forums]

Adobe has released a beta version of Flash Player for Firefox, which has better protection against vulnerability exploits because of a new sandboxed architecture.

"The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach," said Peleus Uhley, platform security strategist at Adobe, in a blog post on Monday. "Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities."

In secure software development, sandboxing refers to the practice of isolating a process from the operating system in order to minimize the fallout of a potential exploit. This type of technology has gained popularity in recent years, primarily because of its use in Google Chrome, a browser that has never experienced a successful remote code execution attack so far.

Adobe decided to implement sandboxing in Adobe Reader back in 2010 in order to counter the large number of exploits that targeted the product and its users. The technology was built into Adobe Reader X (10.0) and is based on the same sandboxing principles that Google used when developing Chrome.

Later that same year Adobe also launched a sandboxed version of Flash Player for Chrome and promised to explore the possibility of doing the same for other browsers. The new sandboxed Flash Player for Firefox, which works with Windows Vista and Windows 7, is the result of those efforts.

Critical Flash Player vulnerabilities have regularly been exploited to infect computers with malware during the past several years. Along with Java and Adobe Reader, Flash Player is one of the most attacked software applications, because its vulnerabilities can usually be exploited by simply visiting a malicious website.

"Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X," Uhley said. "We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year."

However, the success of this version at deterring cybercriminals from writing Flash Player exploits in the future will largely depend on how quickly it gets adopted. In order to speed up the process, Adobe is working on a new update mechanism, the company's senior manager for corporate communications, Wiebke Lips, said.

Having a sandboxed version of Flash Player for every major browser, not just Chrome and Firefox, is also important, if Adobe wants cybercriminals to lose interest in its product. "We are currently in the process of researching the best path to provide Flash Player sandbox protection for Internet Explorer," Lips said.

However, because Internet Explorer has a completely different plug-in architecture than Chrome and Firefox, namely ActiveX, developing a sandboxed Flash Player version for it requires a different approach, Lips said. Nevertheless, the current version of Flash Player supports Protected Mode in Internet Explorer 7 or later on Windows Vista and Windows 7.

View: Original Article

[DKT27]

Coming to Firefox: Flash Player in a sandbox

Adobe says sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of writing effective exploits.

Adobe’s Flash Player plugin that ships with the Firefox browser will soon be fitted with a sandbox as part of the company’s ongoing attempt to keep malicious hackers at bay.

Adobe has launched a public beta of a new Flash Player sandbox (aka “Protected Mode”) for Mozilla’s flagship browser and the company expects to have a final version of the anti-exploit roadblock later this year.

According to Peleus Uhley, a researcher in Adobe’s secure software engineering team, the design of the Firefox Flash sandbox is similar to the Protected Mode mitigation fitted into Adobe Reader X.

Uhley explains:

Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities. The sandboxed process is restricted with the same job limits and privilege restrictions as the Adobe Reader Protected Mode implementation. Adobe Flash Player Protected Mode for Firefox 4.0 or later will be supported on both Windows Vista and Windows 7.

Uhley said sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring effective exploits.

Ever since Adobe Reader X unveiled its sandbox in November 2010, Adobe says it has “not seen a single successful exploit in the wild” against the newest version of that sofware.

“We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year,” Uhley said.

Separately, Adobe security chief Brad Arkin says the company is moving to silent auto security updates for Flash Player “soon.”

:view: View: Original Article