Google, Adobe Bolster Flash Player Security with Sandboxing Technology Plans

Google and Adobe Systems have partnered to bring sandboxing technology to bear in the version of Flash Player bundled with Google Chrome.

Just last month, Adobe Systems released the latest version of Reader with a new sandboxing approach to improve security. Today, the company announced it has partnered with Google to extend that protection to Flash Player users running the Google Chrome browser.

Google has long trumpeted sandboxing as an extra protective layer against attacks, and has added it to both the Chrome browser and the upcoming Chrome OS. Adobe and Google have been working together since March to allow Flash Player to take advantage of the technology in Chrome, and are now rolling the capability out in Chrome 9.0.587.0 for users on Windows XP, Vista and Windows 7.

Chrome 9.0.587.0 is currently in Google's dev channel.

"This initial Flash Player sandbox is an important milestone in making Chrome even safer," Google software engineers Justin Schuh and Carlos Pizano wrote in a joint blog post. "In particular, users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox. This first iteration of Chrome's Flash Player sandbox for all Windows platforms uses a modified version of Chrome's existing sandbox technology that protects certain sensitive resources from being accessed by malicious code, while allowing applications to use less sensitive ones.

"This implementation is a significant first step in further reducing the potential attack surface of the browser and protecting users against common malware," they wrote.

A spokesperson for Adobe explained that the sandbox-known as "Protected Mode"-limits the severity of exploits and helps prevent attackers from installing "persistent malware in the user's account" because writing to the file system is prohibited.

"Exploits also cannot read and steal arbitrary files from the user's machine," the spokesperson said. "In other words, if a user visits a Website hosting malicious Flash content, any exploit code designed to write to the user's system will be blocked by the sandbox-the attacker will not be able to install malicious code on the user's system."

The technology is expected to be generally available to end users between early and mid-2011, the spokesperson added. Though the Protected Mode feature currently only supports Chrome users on Windows, there are plans to make it available for all operating systems, according to Peleus Uhley, senior security strategist for the Adobe Secure Software Engineering Team.

Flash Player already supports Protected Mode in Internet Explorer on Windows 7 and Vista, but that represents only a small subset of Windows users, Uhley blogged.

"Over the next few months, we will be testing and receiving feedback on this project," he wrote. "Since this is a distinctly different sandboxing code base from Internet Explorer, we are essentially starting from scratch. Therefore, we still have a few bugs that we are working through. We hope that we can use this experience as a platform for discussing sandbox approaches with the other browser vendors."