Attackers have spent the last few years learning the ins and outs of Adobe Flash, looking for all of its weak spots, unintended behaviors and any other oddities that will enable them to exploit it. That’s been a profitable investment for them, but browser manufacturers and Adobe have been taking steps to change that, with the latest one being Google’s decision to place Flash in a full sandbox inside of Chrome.
Google initially added a sandbox to Flash on Chrome in late 2010, saying at the time that it was the first step in a process to make the popular software more secure and less useful for attackers.
“This initial Flash Player sandbox is an important milestone in making Chrome even safer. In particular, users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox. This first iteration of Chrome’s Flash Player sandbox for all Windows platforms uses a modified version of Chrome’s existing sandbox technology that protects certain sensitive resources from being accessed by malicious code, while allowing applications to use less sensitive ones. This implementation is a significant first step in further reducing the potential attack surface of the browser and protecting users against common malware,” Google’s Justin Schuh and Carlos Pizano said in a blog post at the time of the introduction of the Flash sandbox in Chrome.
On Tuesday, Schuh said that the beta of Chrome 21, which is available now, includes a fully sandboxed version of Flash, the latest evolution of the protective mechanism.
“Today’s Chrome 21 beta release has *fully* sandboxed Flash on *all* versions of Windows,” Schuh, a member of Google’s security team, said on Twitter yesterday.
Google has been very aggressive about adding exploit mitigations and sandbox technology to Chrome in the last couple of years, making it one of the more difficult browsers on the market to exploit. In past years, contestants at the Pwn2Own contest during CanSecWest largely ignored Chrome because of these protections and instead went after Firefox and Internet Explorer. That changed this year when the rules of the contest were modified and a team from VUPEN successfully compromised Chrome.
Two other researchers also found and exploited bugs in Chrome as part of Google’s own Pwnium contest this year.