At Last – Adobe Launches Sandboxed Flash Player For Firefox


Finally a proactive measure from Adobe to try and remedy the horrible security flaws they have introduced to Firefox with their Flash Player.

There have been some massive hacks recently due to Flash –

Hackers Exploiting Latest Adobe Flash Bug On Large Scale
Adobe Patches Latest Flash Zero Day Vulnerability
Adobe Promises Patch For Flash 0-day Being Used In Targeted Attacks

Those 3 were all in 2011!

Adobe has released a beta version of Flash Player for Firefox, which has better protection against vulnerability exploits because of a new sandboxed architecture.

“The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach,” said Peleus Uhley, platform security strategist at Adobe, in a blog post on Monday. “Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities.”

In secure software development, sandboxing refers to the practice of isolating a process from the operating system in order to minimize the fallout of a potential exploit. This type of technology has gained popularity in recent years, primarily because of its use in Google Chrome, a browser that has never experienced a successful remote code execution attack so far.

Adobe decided to implement sandboxing in Adobe Reader back in 2010 in order to counter the large number of exploits that targeted the product and its users. The technology was built into Adobe Reader X (10.0) and is based on the same sandboxing principles that Google used when developing Chrome.

Later that same year Adobe also launched a sandboxed version of Flash Player for Chrome and promised to explore the possibility of doing the same for other browsers. The new sandboxed Flash Player for Firefox, which works with Windows Vista and Windows 7, is the result of those efforts.

They have been talking about sandboxing for a long time and did mention they wanted to sandbox Adobe PDF Reader too, Chrome has had great success with it’s sandbox model and I’m sure many more software vendors will follow suit.

It’s good to see this approach with the web becoming an extremely dangerous place and more and more commerce is moving online, this gives us a deadly mix of poor security and lots of money floating around.


Critical Flash Player vulnerabilities have regularly been exploited to infect computers with malware during the past several years. Along with Java and Adobe Reader, Flash Player is one of the most attacked software applications, because its vulnerabilities can usually be exploited by simply visiting a malicious website.

“Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X,” Uhley said. “We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.”

However, the success of this version at deterring cybercriminals from writing Flash Player exploits in the future will largely depend on how quickly it gets adopted. In order to speed up the process, Adobe is working on a new update mechanism, the company’s senior manager for corporate communications, Wiebke Lips, said.

Having a sandboxed version of Flash Player for every major browser, not just Chrome and Firefox, is also important, if Adobe wants cybercriminals to lose interest in its product. “We are currently in the process of researching the best path to provide Flash Player sandbox protection for Internet Explorer,” Lips said.

However, because Internet Explorer has a completely different plug-in architecture than Chrome and Firefox, namely ActiveX, developing a sandboxed Flash Player version for it requires a different approach, Lips said. Nevertheless, the current version of Flash Player supports Protected Mode in Internet Explorer 7 or later on Windows Vista and Windows 7.

I’d like to see them implement a much better and more user-friendly update system for Flash player, so when the update comes out more users get it ASAP.

Also, this is only for Firefox and the largest target for malware peddlers is Internet Exploder Explorer – so they better get that version sorted out soon too.

Source: Network World

Posted in: Countermeasures, Security Software, Web Hacking

, , , , , , , , ,


Latest Posts:


Nipe - Make Tor Default Gateway For Network Nipe – Make Tor Default Gateway For Network
Nipe is a Perl script to make Tor default gateway for network, this script enables you to directly route all your traffic from your computer to the Tor network.
Mosca - Manual Static Analysis Tool To Find Bugs Mosca – Manual Static Analysis Tool To Find Bugs
Mosca is a manual static analysis tool written in C designed to find bugs in the code before it is compiled, much like a grep unix command.
Slurp - Amazon AWS S3 Bucket Enumerator Slurp – Amazon AWS S3 Bucket Enumerator
Slurp is a blackbox/whitebox S3 bucket enumerator written in Go that can use a permutations list to scan externally or an AWS API to scan internally.
US Government Cyber Security Still Inadequate US Government Cyber Security Still Inadequate
Surprise, surprise, surprise - an internal audit of the US Government cyber security situation has uncovered widespread weaknesses, legacy systems and poor adoption of cyber controls and tooling.
BloodHound - Hacking Active Directory Trust Relationships BloodHound – Hacking Active Directory Trust Relationships
BloodHound is for hacking active directory trust relationships and it uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
SecLists - Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells SecLists – Usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place.


2 Responses to At Last – Adobe Launches Sandboxed Flash Player For Firefox

  1. Stephen February 10, 2012 at 2:58 am #

    Regarding:
    “I’d like to see them implement a much better and more user-friendly update system for Flash player, so when the update comes out more users get it ASAP.”

    This is already implemented and can be tested with the beta builds. It’s called Adobe Flash Player Background Updater. This will also become available to everyone in the next Flash Player release 11.2.
    More info here:
    http://labs.adobe.com/technologies/flashplatformruntimes/flashplayer11-2/

    • Darknet February 15, 2012 at 7:44 pm #

      Thanks for the update on that Stephen.