Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sandboxed Flash Player Coming To Firefox

Posted by Soulskill on from the box-in-the-fox dept.

Trailrunner7 writes "Adobe, which has spent the last few years trying to dig out of a deep hole of vulnerabilities and buggy code, is making a major change to Flash, adding a sandbox to the version of the player that runs in Firefox. The sandbox is designed to prevent many common exploit techniques against Flash. The move by Adobe comes roughly a year after the company added a sandbox to Flash for Google Chrome. Flash, which is perhaps the most widely deployed piece of software on the Internet, has been a common attack vector for several years now, and the attacks in some cases have been used to get around exploit mitigations added by the browser vendors. The sandbox is designed to prevent many of these attacks by not allowing exploits against Flash to break out into the browser itself."

8 of 86 comments (clear)

  1. Re:Here's my hope. by Galestar · · Score: 5, Informative

    I'd love to see a ban on FMV ads...

    Install FlashBlock

    --
    AccountKiller
  2. Re:Here's my hope. by Hatta · · Score: 5, Informative

    Why are you not using NoScript?

    --
    Give me Classic Slashdot or give me death!
  3. Re:'bout time! by jjjhs · · Score: 5, Informative

    They isolated plugins (incl Flash and Silverlight) from crashing the browser a long time ago. Version 3.6 or something.

  4. Re:'bout time! by __1200333 · · Score: 5, Informative

    Switching from on-board to usb audio on windows 7 reliably hangs flash for me.

    However, you CAN do something about it! Find the right plugin-container.exe process (usually easy because it's the one taking hundreds of megabytes) and kill it. Firefox will now resume and give you the "your plugin has crashed" screen wherever flash was embedded previously.

  5. Re:Here's my hope. by 1800maxim · · Score: 2, Informative

    Because it breaks the browsing experience on just about every site out there, and manually having to white-list each site is a painful process that's a usability nightmare.

  6. Re:A third layer of sandboxing? by icebraining · · Score: 3, Informative

    NPAPI is just an API, not a sandbox. plugin-container just prevents flash from taking the browser with it when it crashes randomly, it doesn't protect anything from malicious code.

    --
    Dilbert RSS feed
  7. Re:'bout time! by Anonymous Coward · · Score: 2, Informative

    Open about:config
    Search for "dom.ipc.plugins.timeoutSecs"
    Change it (from 45!) to 10 or 5.

    This should (hopefully) force Flash to crash faster, be careful if the PC is really slow though as clicking buttons that cause some sort of slow calculation to happen may crash the applet on you.

  8. Re:'bout time! by Justin_Schuh · · Score: 4, Informative

    Actually, Flash has been sandboxed in Chrome for about a year, but it's not fully sandboxed. To explain, the Chrome sandbox architecture supports five levels on Windows. Chrome's web content and its native PDF reader run at USER_LOCKDOWN and JOB_LOCKDOWN (level 5), which means a deny-only token. Right now Chrome's Flash sandbox runs at USER_INTERACTIVE (level 2) plus low-integrity level (just a bit better than IE's sandbox). However, we've been working for almost two years on a version of Flash that runs in as strong a sandbox as native Chrome content. My post was explaining how to test an alpha release of that improved Flash sandbox.