The H-Online: Adobe has released a public beta of a sandboxed version of its Flash plugin for Firefox in an effort to improve its security. The new “Protected Mode” for Flash, which has been in development for at least a year according to Adobe engineer Peleus Uhley, runs with restricted privileges and, to further limit its access to the system, can only access system resources through a broker. This should help intercept attackers trying to gain access to a system through malicious Flash files.
The implementation is similar, says Uhley, to how Adobe Reader X’s sandbox works and he points out that “since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X”. Development of the plugin has been assisted by Mozilla developers who have helped with “some of the more challenging browser integration bugs”. Uhley calls the plugin the “next evolutionary step in protecting our customers”.
Google’s Chrome browser has included a sandboxed version of Flash for a while, although that implementation was developed by Google themselves. The effectiveness of that sandbox and other security mechanisms in Chrome is why the browser was recently recommended by the German government as part of securing a Windows PC.
Firefox developers had also been working on Electrolysis. This was a more general, sandboxing solution, but work on that project was suspended in November of last year. The Protected Mode plugin can be downloaded for Firefox 4.0 or later on Windows Vista and 7 from the Adobe Labs site.