Two of the three major Web browsers now offer some form of Flash Player with built-in sandbox protection. Internet Explorer is not one of them.
Adobe has been modifying its popular Flash Player to include the sandbox technology that would block malicious code before executing. Adobe on Feb. 6 released a beta version of the Flash Player plug-in that has the sandbox for Firefox for Windows Vista and Windows 7. The final version is expected later this year.
A plug-in for Google’s Chrome browser was released in 2010.
A sandbox isolates processes running on the computer from the rest of the operating system and from other programs. If a malicious code tries to take advantage of a vulnerability to escalate privileges or modify existing processes, it is unable to because of the enforced isolation.
“For Flash Player, this is the next evolutionary step in protecting our customers,” Peleus Uhley, a platform security strategist at Adobe, wrote on the Adobe Secure Software Engineering Team blog.
The design of the Flash Player sandbox is similar to what Protect Mode included in Adobe Reader X, according to Uhley. The plug-in has a “broker,” a “low-integrity, highly restricted process” that decides what actions and code the Player can execute outside the sandbox. Everything else is executed inside the sandbox, so the browser and operating system is protected from code trying to run privileged actions, Uhley said. The sandboxed process has the same job controls and privilege restrictions as Reader’s Protected Mode.
Adobe’s Flash Player, Reader and Acrobat software are frequently targeted by attackers, primarily because they installed on practically every endpoint around the world.
Malicious code inside a Flash file, when executed, could cause the Player to crash and allow attackers to compromise the browser or the operating system. Attackers used documents and spreadsheets with embedded malicious Flash files against a number of high-profile victims, including RSA Security, last year.
To help protect users, Adobe launched Protected Mode in Reader and Acrobat X in November 2010. Even though there have been many exploits targeting Reader and Acrobat since then, to date, none of them have been able to break out of Protected Mode and compromise Reader and Acrobat X, according to Adobe. Even recently discovered exploits targeting zero-day vulnerabilities were successfully blocked in Reader and Acrobat X.
Similarly, Microsoft built in a Protected Mode sandbox for Internet Explorer, which has made it harder for attackers to target the browser, according to Kurt Baumgartner, a senior security researcher for Kaspersky Lab.
“We hope to see similar results with the Flash Player sandbox,” Uhley said.
Ever since Adobe launched Protected Mode sandboxing technology, it has effectively protected users by increasing the cost of attacking software, Brad Arkin, senior director of product security and privacy, told attendees at the Kaspersky Lab Security Analyst Summit last week. Mitigation technologies such as Protected Mode make it more difficult for attackers to write an exploit that can successfully target a particular vulnerability, Arkin said.
Finding a bug is “fairly straightforward,” writing an exploit is “harder” and writing a reliable exploit that works all the time is “even harder,” Arkin said.
Adobe’s goal isn’t to “find and fix every security bug” in its software, Arkin said. Considering the sheer size of the programs and the fact that modifying code in one section may have unintended consequences on other parts of the program, the effort would be “infeasible,” according to Arkin.
Adobe Flash Player Protected Mode for Firefox 4.0 or later will be supported on both Windows Vista and Windows 7. Adobe said it worked with Mozilla engineers to launch the plug-in, which is available for developers from the Adobe Website.
While the latest plug-in helps “move defense forward and in the right direction,” getting people to upgrade their Flash Player plug-ins to use the sandbox when it is generally available would remain a challenge, according to Baumgartner.
“All too often, people forget that they are running outdated versions of the software, or disabled the software update options of their software,” Baumgartner wrote on the Securelist blog.