Mac OS X Mavericks may have brought with it iBooks and Maps to the Apple desktop operating system, but for security conscious users, perhaps the thing most worth noting is the addition of sandbox protection for Adobe Flash Player for the Safari browser, announced yesterday by Adobe.
“By providing this extra layer of protection to Safari users on OS X Mavericks, we can make it one step harder to exploit our mutual customers,” said Peleus Uhley, Platform Security Strategist at Adobe. “The result is that customers can still view Flash Player content while benefiting from these added security protections.”
Apple was the last holdout among major browser vendors not to have protection for Flash files with sandboxing technology. The OS X App Sandbox protects Flash files by defining the security permissions for the multimedia player when it runs. This keeps potentially malicious files inside the sandbox and limits the extent to which an attacker is able to exploit a vulnerability in Flash to get at the underlying system.
“As you might expect, Flash Player’s capabilities to read and write files will be limited to only those locations it needs to function properly,” Uhley said. “The sandbox also limits Flash Player’s local connections to device resources and inter-process communication (IPC) channels. Finally, the sandbox limits Flash Player’s networking privileges to prevent unnecessary connection capabilities.”
Third-party software such as Adobe Flash, Reader, Acrobat, Java from Oracle and others, have been the preferred targets for hackers, who have had relatively little trouble exploiting these ubiquitous technologies—even those that have been sandboxed.
While most of these attacks have been limited to Windows machines, Apple’s Mac OS X platform has not been immune. Most notably, several variants of the Flashback Trojan hit hundreds of thousands of Apple machines, exploiting for the most part Java vulnerabilities to disable innate Apple malware protection known as XProtect and establish backdoor communication with a remote server.
Adobe Flash Player was sandboxed in Internet Explorer 10 upon the release of Windows 8 last year. Google, meanwhile, put Flash in a Chrome sandbox 11 months ago and introduced a Flash Player Protected Mode for Firefox in June 2012.