Establishing Digital Trust: Don't Sacrifice Security for Convenience
Adobe's Flash Player plugin is among the most attacked pieces of software on the Internet today. While Adobe rapidly moves to fix urgent flaws as they emerge, they have also been moving towards a sandboxing approach that mitigates the risk of any potential flaws in Flash. After first appearing in Google's Chrome browser, the Flash sandbox is now on its way to Mozilla's Firefox.
The new Flash Player sandbox for Firefox is currently in a public beta and it aims to go beyond the process protections that Mozilla already affords to plugins.
Wiebke Lips, Senior Manager of Corporate Communications at Adobe, explained to InternetNews.com that Firefox today runs Flash Player and several other plugins in a separate process called plugin-container.exe.
"By running plugins in a separate process, Firefox can ensure that a plugin crash does not crash the entire Web browser," Lips said. "However, there are no security restrictions placed on the plugin process."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Mozilla introduced the plugin-container executable as part of an effort known as "out-of-process plugin support" in June 2010, with the Firefox 3.6.4 release.
In contrast to Mozilla's own out-of-process plugin system, the Adobe sandbox goes a step further to provide an additional layer of protection.
"The Flash Player Protected Mode sandbox also creates a separate process, but the Protected Mode process is restricted by application and OS-level security controls to help prevent exploits from being successful," Wiebke said. The additional security that comes with the Flash sandbox does not restrict the user-level functionality of a Flash file. Lips noted that functionality that is not permitted inside the sandbox is handled by the broker process.
"The broker process is a privileged process that runs with default rights and provides secure access to specific resources not available to the sandbox," Lips said.
As an example, she noted that writing to disk is not available to the sandbox. As such, when content within the sandbox needs to store data in a local shared object (LSO), the sandbox content makes a request to the broker, and the broker handles writing the LSO content to the disk.
"This ensures that the sandbox content cannot write to arbitrary places on the user's hard drive," Lips said.
Adobe already has experience building browser plug-in sandboxes, thanks to the Flash Player's tight integration with the Google Chrome browser. Lips noted that from a functionality perspective, the two versions of Flash Player are the same.
What about Microsoft IE?
Adobe isn't just interested in making sure that Google Chrome and Mozilla Firefox users are secure, they want to help Microsoft's IE users too. According to Lips, Adobe is currently in the process of researching the best path to provide Flash Player sandbox protection for Internet Explorer. She added that due to the fact that Internet Explorer uses ActiveX as its interface for plugins, there are some complications. ActiveX is significantly different from the Netscape Plugin Application Programming Interface (NPAPI) that Firefox and Chrome both support. As such, sandboxing Flash Player for Internet Explorer requires a different approach.
While IE users might have to wait awhile to get the benefits of Adobe's new Flash Player security, the sandboxed version of Flash Player for Firefox is expected to be available later this year.
"We will be collecting feedback during the public pre-release process and will release the final product once we are satisfied with the results of our internal and external testing," Lips said.