07
Feb 12

Forcing Flash to Play in the Sandbox

facebooktwittergoogle_plusredditpinterestlinkedinmail

Adobe has released a public beta version of its Flash Player software for Firefox that forces the program to run in a heightened security mode or “sandbox” designed to block attacks that target vulnerabilities in the software.

Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. The same technology has been built into the latest versions of Adobe Reader X, and it has been enabled for some time in Google Chrome, which contains its own integrated version of Flash. But this is the first time sandboxing has been offered in a public version of Flash for Firefox.

Flash is a big target of attackers partly because it is a powerful program with a huge install base; vulnerability management firm Secunia estimates that some version of Flash is installed in 96 percent of the world’s Microsoft PCs. Windows users can further harden their systems against such attacks by swapping out their current version of Flash for this beta.

The sandboxed Flash for Firefox — Flash Player 11.2 beta 5 — works with Firefox 4 or later running on Window Vista or Windows 7. The latest build is available here.

I’ve been using the beta version for nearly two days now without incident on a Windows 7 Firefox 10 install (with Firefox running under Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET). But if you do experience glitches or compatibility issues, you can always revert back to the non-sandboxed version. If you decide to try the beta, make sure to uninstall the current version using Adobe’s Flash uninstaller tool; then grab and install the beta.

Tags: , , , ,

23 comments

  1. curious about EMET. what settings do you run it at? for me, DEP is set to always on, SEHOP to opt out, and ASLR to opt in. haven’t had any issues with this configuration. would like to go ASLR Always On but being a gamer…

    • I use DEP opt in, SEHOP always on, ASLR opt in.

      I then use the ‘Configure Apps’ feature for Firefox with all options selected. I’ve never had any problems with this apart from it being incompatible with Trusteer Rapport, which my bank keeps pushing.

  2. A good progress. And I recommend sandboxie to everyone it’s a must have, can protect your computer against a lot of viruses, spyware, etc. ;)

    • Sanboxie is a great program. Don’t go online without it!

      • another +1 for Sandboxie.
        Long-time user in XP-SP3.

        Wish there was a way
        to run XP-SP3 in Sandoxie,
        inside Linux UBUNTU….

        • Not sure if this is what you’re looking for, but you can easily run Windows XP SP3 via a virtual machine inside Ubuntu. I do it all the time.

    • Or there’s Comodo Firewall (available at no cost) which can be setup to prompt the user about whether to run any application in a sandbox and remember the choice for any future execution of a given file.

      Personally I find the Defense+ (read premptive malware blocker) to be far to intrusive when I’m using Comodo Firewall and Comodo Antivirus is just godawful, no other way to describe it, but disable or don’t install these two features and it’s a great software firewall and sandbox combination IMO.

      I’m basing my assessment of it’s firewall capabilities off actual testing by third parties BTW, I don’t know of anything similar for sandboxing software though.

  3. So Adobe, authors of the least secure software in existence, are adding a sandbox to secure their least secure software. And we expect this sandbox to magically be well coded and secure, because Adobe’s track record on that front is ever so good.

    Also, Comodo internet security (free for home/personal use) includes sandboxing for arbitrary applications.

  4. A step in the right direction.

    Thanks Brian as always for keeping us on top of all things Security related! Great reporting!

  5. Am I right to infer that this Flash beta will not work on an XP system?

  6. Too little too late. HTML5 video is here and now.

    Every day from here on out, Flash’s userbase will dwindle, bit by bit. There are more Flash users today than there will be tomorrow, and fewer the next day. And for security that’s a good thing.

    • Yeah sure. Until there’s a large number of people using HTML5 maybe …

      • There already are. All the major browsers have supported it for a while. Most ‘phones support the interesting bits. The next iteration of our webapp will have no flash at all. All the graphically intensive stuff will move to HTML5 and related tech. An easy win on Apple mobile devices and a more subtle win regards everything else (skill set focus, storage reduction, bandwidth reduction, fewer duplicate code bases, etc).

    • Unfortunately, you’re mistaken. I will not redo ANY of my apps/sites in HTML 5. Too costly and time consuming and I’m sure I’m not the only one that feels this way.

      • Youtube has been publishing HTML5 videos for quite a while now. I can browse Youtube without even having Flash installed. :)

        That’s at least half of all online videos right there. Flash’s demise is a done deal. It’s less important today than it was yesterday. But you can continue using Flash if you prefer.

        BTW if you want to convert your flash videos to HTML5, a simple one line shell script would do it for most people. A simple sed or python script could then change all html pages across an entire site.

        Done, easy. Far and away more secure. How could one on this blog argue against it?

  7. Waiting on the 64bit version since I run a 64bit version of Firefox 13a1.

  8. Interesting. I see on the download page you linked to Adobe decided to call this sandboxed version “Incubator” ?
    Also there is no word from them if an ActiveX version is going to be released and neither if non-ActiveX browsers (such as Opera) will be supported.
    Personally, I hope we have to put up with this software for 1-2 years more before enough websites will support html5.

    • I presume that ,because of Internet Explorer Protected Mode, they don’t think it’s necessary to run the ActiveX in a sandbox.

  9. Great. Now when will Adobe release a version that sandboxes flash cookies in /dev/null to prohibit tracking. Adobe’s existing settings interface is obscure and absurd, one one suspects that this is intentional.

    • Control Panel is obscure?

    • I hear ya. Expect only more of the same from Adobe.

      Of course there are better options:

      – Mozilla’s BetterPrivacy addon for yesterday and today
      – HTML5 video for today and tomorrow