Adobe has taken another step to secure Windows users from malicious Flash code by releasing a beta plug-in of Flash Player with a built-in sandbox for Firefox.
Two of the three major Web
browsers now offer some form of Flash Player with built-in sandbox protection.
Internet Explorer is not one of them.
Adobe has been modifying its
popular Flash Player to include the sandbox technology that would block malicious
code before executing. Adobe on Feb. 6 released a beta version of the Flash
Player plug-in that has the sandbox for Firefox for Windows Vista and Windows
7. The final version is expected later this year.
A plug-in for Google's
Chrome browser was released in 2010.
A sandbox isolates processes
running on the computer from the rest of the operating system and from other
programs. If a malicious code tries to take advantage of a vulnerability to
escalate privileges or modify existing processes, it is unable to because of
the enforced isolation.
"For Flash Player, this
is the next evolutionary step in protecting our customers," Peleus Uhley,
a platform security strategist at Adobe, wrote on the Adobe
Secure Software Engineering Team
The design of the Flash
Player sandbox is similar to what Protect Mode included in Adobe Reader X,
according to Uhley. The plug-in has a "broker," a "low-integrity,
highly restricted process" that decides what actions and code the Player
can execute outside the sandbox. Everything else is executed inside the
sandbox, so the browser and operating system is protected from code trying to
run privileged actions, Uhley said. The sandboxed process has the same job
controls and privilege restrictions as Reader's Protected Mode.
Adobe's Flash Player, Reader
and Acrobat software are frequently targeted by attackers, primarily because
they installed on practically every endpoint around the world.
Malicious code inside a
Flash file, when executed, could cause the Player to crash and allow attackers
to compromise the browser or the operating system. Attackers used documents and
spreadsheets with embedded malicious Flash files against a number of
high-profile victims, including RSA Security, last year.
To help protect users, Adobe
launched Protected Mode in Reader and Acrobat X in November 2010. Even though
there have been many exploits targeting Reader and Acrobat since then, to date,
none of them have been able to break out of Protected Mode and compromise
Reader and Acrobat X, according to Adobe. Even recently discovered exploits
targeting zero-day vulnerabilities were successfully blocked in Reader and
Similarly, Microsoft built
in a Protected Mode sandbox for Internet Explorer, which has made it harder for
attackers to target the browser, according to Kurt Baumgartner, a senior
security researcher for Kaspersky Lab.
"We hope to see similar
results with the Flash Player sandbox," Uhley said.
Ever since Adobe launched
Protected Mode sandboxing technology, it has effectively protected users by
increasing the cost of attacking software, Brad Arkin, senior director of
product security and privacy, told attendees at the Kaspersky
Lab Security Analyst Summit
last week. Mitigation technologies such as
Protected Mode make it more difficult for attackers to write an exploit that
can successfully target a particular vulnerability, Arkin said.
Finding a bug is "fairly
straightforward," writing an exploit is "harder" and writing a
reliable exploit that works all the time is "even harder," Arkin
Adobe's goal isn't to
"find and fix every security bug" in its software, Arkin said.
Considering the sheer size of the programs and the fact that modifying code in
one section may have unintended consequences on other parts of the program, the
effort would be "infeasible," according to Arkin.
Adobe Flash Player Protected
Mode for Firefox 4.0 or later will be supported on both Windows Vista and
Windows 7. Adobe said it worked with Mozilla engineers to launch the plug-in,
which is available for developers from the Adobe Website.
While the latest plug-in
helps "move defense forward and in the right direction," getting
people to upgrade their Flash Player plug-ins to use the sandbox when it is
generally available would remain a challenge, according to Baumgartner.
"All too often, people
forget that they are running outdated versions of the software, or disabled the
software update options of their software," Baumgartner wrote on the Securelist