Adobe has released a new version of the Flash player that now gives Firefox users the additional security of a sandbox and also includes a background update mechanism for Mac users. Flash has run in a sandbox on Google Chrome and Internet Explorer for some time already.
The big security news in Flash player 11.3 is the addition of the protected mode sandbox for Firefox on Windows. That’s a major change for Adobe, which has been adding sandbox to its main product lines for a couple of years now. Adobe Reader X has run in protected mode–which is what Adobe calls its sandbox–since its release, and the company also added a sandbox to Flash on Google Chrome.
“Our Protected Mode implementation allows Flash Player to run as a low integrity process with several additional restrictions that prohibit the runtime from accessing sensitive resources. This approach is based on David LeBlanc’s Practical Windows Sandboxdesign and builds upon what Adobe created for the Adobe Reader X sandbox. By running the Flash Player as a restricted process, Adobe is making it more difficult for an attacker to turn a simple bug into a working exploit. This blog post will provide an overview of the technical implementation of the design,” Peleus Uhley of Adobe said in a blog post.
The sandboxed Flash player in Firefox comprises three separate processes, something that was done to keep the browser and Flash loosely coupled rather than totally integrated in order to make updates easier. Adobe plans to continue updating the way that protected mode in Firefox works.
“Overall, the Flash Player sandbox process has been a journey of incremental improvements with each step bringing end-users a more secure environment. We started by supporting Protected Mode within Internet Explorer, which enabled Flash Player to run as a low integrity process with limited write capabilities. From there, we worked with Google on building the Chrome sandbox, which converted Flash Player to using a more robust broker implementation. This release of Flash Player Protected Mode for Firefox on Windows takes the Chrome implementation one step further by changing Flash Player to run with job limits on the process. With Flash Player Protected Mode being based on the same technology as Adobe Reader X, we are confident that this implementation will be a significant barrier and help prevent exploits via Flash Player for Firefox users,” Uhley said.
The background updater for Mac OS X gives users the ability to set the Flash player to automatically update itsefl whenever a new version is available, taking some of the worry of patching out of users’ hands.