Monday, February 6, 2012

Adobe Flash Player Sandboxing is Coming to Firefox

Via Adobe Secure Software Engineering Team (ASSET) Blog -

In December of 2010, I wrote a blog post describing the first steps towards sandboxing Flash Player within Google Chrome. In the blog, I stated that the Flash Player team would explore bringing sandboxing technology to other browsers.


Today, Adobe has launched a public beta of our new Flash Player sandbox (aka “Protected Mode”) for the Firefox browser. The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach. Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities. The sandboxed process is restricted with the same job limits and privilege restrictions as the Adobe Reader Protected Mode implementation. Adobe Flash Player Protected Mode for Firefox 4.0 or later will be supported on both Windows Vista and Windows 7. We would like to thank the Mozilla team for assisting us with some of the more challenging browser integration bugs. For Flash Player, this is the next evolutionary step in protecting our customers.

Sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring effective exploits. For example, since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X. We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.


Kudos to Adobe for embracing sandboxing technique as a way to minimize exploit impact in Adobe Reader X and now Adobe Flash Player. Now if they will do it for IE on Windows 7, then we will be getting somewhere.

Unfortunately, the bad guys (both criminal and nation-state) are taking advantage of Oracle's inability to do anything to secure Java JRE usage. So it might be too little too late to really help enterprises counter advanced threats.

No comments:

Post a Comment