Google and Adobe Systems have partnered to bring sandboxing technology to bear in the version of Flash Player bundled with Google Chrome.
Just last month, Adobe Systems released the latest
version of Reader
with a new sandboxing approach to improve security.
Today, the company announced it has partnered with Google to extend that
protection to Flash Player users running the Google Chrome browser.
Google has long trumpeted sandboxing as an extra protective layer against
attacks, and has added it to both
the Chrome browser
and the upcoming Chrome OS. Adobe and Google have been
working together since March to allow Flash Player to take advantage of the
technology in Chrome, and are now rolling the capability out in Chrome
9.0.587.0 for users on Windows XP, Vista and Windows
Chrome 9.0.587.0 is currently in Google's dev channel.
"This initial Flash Player sandbox is an important milestone in making
Chrome even safer," Google software engineers Justin Schuh and Carlos
Pizano wrote in a joint
. "In particular, users of Windows XP will see a major
security benefit, as Chrome is currently the only browser on the XP platform
that runs Flash Player in a sandbox. This first iteration of Chrome's Flash
Player sandbox for all Windows platforms uses a modified version of Chrome's
existing sandbox technology that protects certain sensitive resources from being
accessed by malicious code, while allowing applications to use less sensitive
"This implementation is a significant first step in further reducing
the potential attack surface of the browser and protecting users against common
malware," they wrote.
A spokesperson for Adobe explained that the sandbox-known as "Protected
Mode"-limits the severity of exploits and helps prevent attackers
from installing "persistent malware in the user's account" because
writing to the file system is prohibited.
"Exploits also cannot read and steal arbitrary files from the user's
machine," the spokesperson said. "In other words, if a user visits a
Website hosting malicious Flash content, any exploit code designed to write to
the user's system will be blocked by the sandbox-the attacker will not be able
to install malicious code on the user's system."
The technology is expected to be generally available to end users between
early and mid-2011, the spokesperson added. Though the Protected Mode feature
currently only supports Chrome users on Windows, there are plans to make it
available for all operating systems, according to Peleus Uhley, senior security
strategist for the Adobe Secure Software Engineering Team.
Flash Player already supports Protected Mode in Internet Explorer on Windows
7 and Vista, but that represents only a small subset of
Windows users, Uhley blogged.
"Over the next few months, we will be testing and receiving feedback on
this project," he wrote. "Since this is a distinctly different
sandboxing code base from Internet Explorer, we are essentially starting from
scratch. Therefore, we still have a few bugs that we are working through. We
hope that we can use this experience as a platform for discussing sandbox
approaches with the other browser vendors."