Two weeks after releasing Reader X with its new sandbox security mechanism, Adobe has teamed up with Google to enable a sandboxed version of its Flash software to run in Google Chrome.

The two companies said on Wednesday that Google has released a version of Chrome to its developer channel that includes the sandboxed Flash player. Google and Adobe have been working together on sandboxing technology for several months now, and this is the first result of that collaboration. The current release of Chrome with the sandboxed Flash software runs on Windows XP, Vista and Windows 7. The sandbox used for Flash is slightly different from the original Chrome sandbox, Google said.

“This initial Flash Player sandbox is an important milestone in making
Chrome even safer. In particular, users of Windows XP will see a major
security benefit, as Chrome is currently the only browser on the XP
platform that runs Flash Player in a sandbox. This first iteration of
Chrome’s Flash Player sandbox for all Windows platforms uses a modified
version of Chrome’s existing sandbox technology that protects certain
sensitive resources from being accessed by malicious code, while
allowing applications to use less sensitive ones. This implementation is
a significant first step in further reducing the potential attack
surface of the browser and protecting users against common malware,” Google’s Justin Schuh and Carlos Pizano said in a blog post explaining the Flash sandbox in Chrome.

Google and Adobe officials said that they expect to extend the availability of Chrome with the Flash sandbox to other platforms in the near future, although no time table was specified. Sandboxes have become an important defense mechanism for software makers in the last year or so as they have sought to prevent attackers from using browser-based and PDF-based exploits to jump from vulnerable applications to other apps or the operating system. Microsoft introduced a modified sandbox with Internet Explorer Protected Mode in Vista and Google included a sandbox in Chrome in 2008.

Adobe officials said they expect some changes to the Flash Chrome sandbox as things progress.

“Over the next few months, we will be testing and receiving feedback
on this project. Since this is a distinctly different sandboxing code
base from Internet Explorer, we are essentially starting from scratch.
Therefore, we still have a few bugs that we are working through. We hope
that we can use this experience as a platform for discussing sandbox
approaches with the other browser vendors,” Adobe’s Peleus Uhley said in a post about the Flash sandbox.

“The Flash Player team and the Adobe Secure Software Engineering Team
(ASSET) are excited to explore this area as an additional defense for
protecting our end-users. In addition to sandboxes, we are moving
forward in parallel with other Flash Player defenses, such as JIT
spraying mitigations.”

Categories: Vulnerabilities, Web Security