For a while now, Google’s Chrome browser has been provided with a bundled version of Adobe’s Flash Player plugin, which is run in a “sandbox”: a separate, limited-privilege execution context, which protects the browser from attacks using Flash as the attack vector. Now, according to a report at ThreatPost, the security news service from Kaspersky Labs, Mozilla’s Firefox browser will get a similar facility.
Adobe, which has spent the last few years trying to dig out of a deep hole of vulnerabilities and buggy code, is making a major change to Flash, adding a sandbox to the version of the player that runs in Firefox. The sandbox is designed to prevent many common exploit techniques against Flash.
Adobe has previously implemented sandbox technology in its Adobe Reader X for Windows; in a post announcing the new Firefox plugin on the Adobe Secure Software Engineering Team [ASSET] blog, the company says that the change has significantly reduced the number of successful exploits.
Sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring effective exploits. For example, since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X.
Although there have been some questions raised about Flash’s long-term prospects, given the new capabilities introduced in HTML 5, it is very much with us today; Flash is one of the most widely-installed bits of software across the Internet. Because of this, it has been a favorite attack target; making it more secure is a very worthwhile step.