This release follows the announcement of a sandbox for Adobe’s PDF Reader earlier this year. A sandbox is a security measure to separate running programs; it provides a controlled set of resources and prevents applications from accessing protected resources.
Google said it had been working since March on sandbox technology for the Adobe Flash Player in the Chrome browser.
“Users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox”, wrote Justin Schuh and Carlos Pizano, Google software engineers, on a Dec. 1 Chromium Blog post.
“This first iteration of Chrome’s Flash Player sandbox for all Windows platforms uses a modified version of Chrome’s existing sandbox technology that protects certain sensitive resources from being accessed by malicious code, while allowing applications to use less sensitive ones. This implementation is a significant first step in further reducing the potential attack surface of the browser and protecting users against common malware”, the Google engineers wrote.
Peleus Uhley, Adobe senior security strategist, wrote on the Adobe Secure Software Engineering Team blog: “We have enabled sandboxing support within Chrome’s integrated version of Flash Player (gcswf32.dll). For initial testing, the sandboxing code currently supports Windows XP, Windows Vista and Windows 7. There are plans to make this available for all OS platforms once we are further along in testing and development.”
Uhley added that “since this is a distinctly different sandboxing code base from Internet Explorer, we are essentially starting from scratch. Therefore, we still have a few bugs that we are working through. We hope that we can use this experience as a platform for discussing sandbox approaches with the other browser vendors.”
Adobe is working on additional defenses, such as JIT spraying mitigation for Flash Player, to protect end users, Uhley wrote. Adobe is also working with other browser vendors on sandbox approaches for Flash Player, he added.