Sandboxed Flash Player Coming To Firefox

← Back to Stories (view on slashdot.org)

Sandboxed Flash Player Coming To Firefox

Posted by Soulskill on Monday February 6, 2012 @09:55AM from the box-in-the-fox dept.

Trailrunner7 writes "Adobe, which has spent the last few years trying to dig out of a deep hole of vulnerabilities and buggy code, is making a major change to Flash, adding a sandbox to the version of the player that runs in Firefox. The sandbox is designed to prevent many common exploit techniques against Flash. The move by Adobe comes roughly a year after the company added a sandbox to Flash for Google Chrome. Flash, which is perhaps the most widely deployed piece of software on the Internet, has been a common attack vector for several years now, and the attacks in some cases have been used to get around exploit mitigations added by the browser vendors. The sandbox is designed to prevent many of these attacks by not allowing exploits against Flash to break out into the browser itself."

26 of 86 comments (clear)

Min score:

Reason:

Sort:

'bout time! by Anonymous Coward · 2012-02-06 09:59 · Score: 2, Insightful

Its about damn time they did this for Firefox. I don't know how many times Flash has caused my browser to crash and I couldn't do anything about it. I love how in Chrome only the Flash player dies and not the browser.
1. Re:'bout time! by jjjhs · 2012-02-06 10:16 · Score: 5, Informative
  
  They isolated plugins (incl Flash and Silverlight) from crashing the browser a long time ago. Version 3.6 or something.
2. Re:'bout time! by __1200333 · 2012-02-06 10:37 · Score: 5, Informative
  
  Switching from on-board to usb audio on windows 7 reliably hangs flash for me.
  However, you CAN do something about it! Find the right plugin-container.exe process (usually easy because it's the one taking hundreds of megabytes) and kill it. Firefox will now resume and give you the "your plugin has crashed" screen wherever flash was embedded previously.
3. Re:'bout time! by icebike · 2012-02-06 11:07 · Score: 3, Interesting
  
  Chrome Already sandboxes Flash, but only if you turn it on, and only in the DEV branch (Version 17 is current dev version as of this writing).
  You can turn it on as explained here: https://plus.google.com/u/0/116560594978217291380/posts/CJvbAMkBiNf
  
  --
  Sig Battery depleted. Reverting to safe mode.
4. Re:'bout time! by Anonymous Coward · 2012-02-06 14:19 · Score: 2, Informative
  
  Open about:config
  Search for "dom.ipc.plugins.timeoutSecs"
  Change it (from 45!) to 10 or 5.
  This should (hopefully) force Flash to crash faster, be careful if the PC is really slow though as clicking buttons that cause some sort of slow calculation to happen may crash the applet on you.
5. Re:'bout time! by Justin_Schuh · 2012-02-06 17:21 · Score: 4, Informative
  
  Actually, Flash has been sandboxed in Chrome for about a year, but it's not fully sandboxed. To explain, the Chrome sandbox architecture supports five levels on Windows. Chrome's web content and its native PDF reader run at USER_LOCKDOWN and JOB_LOCKDOWN (level 5), which means a deny-only token. Right now Chrome's Flash sandbox runs at USER_INTERACTIVE (level 2) plus low-integrity level (just a bit better than IE's sandbox). However, we've been working for almost two years on a version of Flash that runs in as strong a sandbox as native Chrome content. My post was explaining how to test an alpha release of that improved Flash sandbox.
Here's my hope. by Moryath · 2012-02-06 10:00 · Score: 4, Insightful

Maybe sandboxing the damn flash player will stop it from periodically causing Firefox to hang for 30 seconds or so thanks to some damn ugly "full motion video" ad that's trying to load up?
I'd love to see a ban on FMV ads. Double for FMV ads that start themselves automatically, and quadruple for those fucking ads that blast audio after doing so.
1. Re:Here's my hope. by Galestar · 2012-02-06 10:04 · Score: 5, Informative
  
  I'd love to see a ban on FMV ads...
  Install FlashBlock
  
  --
  AccountKiller
2. Re:Here's my hope. by Hatta · 2012-02-06 10:07 · Score: 5, Informative
  
  Why are you not using NoScript?
  
  --
  Give me Classic Slashdot or give me death!
3. Re:Here's my hope. by 1800maxim · 2012-02-06 10:41 · Score: 2, Informative
  
  Because it breaks the browsing experience on just about every site out there, and manually having to white-list each site is a painful process that's a usability nightmare.
4. Re:Here's my hope. by cmarkn · 2012-02-06 10:53 · Score: 3, Insightful
  
  Yes, because clicking once for each domain that provides scripts to the site, the first time you visit it, is such a nightmare.
  
  --
  People should not fear their government. Governments should fear their people.
5. Re:Here's my hope. by Yvan256 · 2012-02-06 10:55 · Score: 2
  
  Here's an easy solution: remove Flash from your system.
6. Re:Here's my hope. by Hatta · 2012-02-06 10:59 · Score: 4, Interesting
  
  Funny how my mac using artist girlfriend has no problems whatsoever with that "usability nightmare". Since she discovered it (on her own, no software evangelism in this household), she regularly comments on how awful the internet is when she has to use it without NoScript. THAT is the real usability nightmare.
  
  --
  Give me Classic Slashdot or give me death!
7. Re:Here's my hope. by Inda · 2012-02-06 22:44 · Score: 2
  
  Give the man a break.
  
  I tried NoScript for a week and had to give up. When a site is loading 20 JS includes, how do you know which ones to allow for functionallity, and which ones are trackers and ad-servers?
  
  Block them all!
  
  Only you can't block them all as that often blocks content. That was probably the final straw for me - the blocked content - Google showed me a page I needed, and yet after loading the page, only the H1 headers were displayed, as the rest was generated by JS. That fails the "Dad test" every time.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
8. Re:Here's my hope. by Tim+C · 2012-02-07 01:13 · Score: 2
  
  That fixes it for him. Banning FMV ads fixes it for everyone.
  
  --
  It's official. Most of you are morons.
9. Re:Here's my hope. by JDG1980 · 2012-02-07 02:28 · Score: 2
  
  Why are you not using NoScript?
  Can't answer on his behalf, but I don't use NoScript because it breaks virtually every site on the Web by default.
Whitelist by sakdoctor · 2012-02-06 10:00 · Score: 4, Insightful

The whitelist for flash is in the single digits. Most sites don't need that privilege.
Youtube, a couple of porn sites ... that's about it really.
Half Way There by rsmith-mac · 2012-02-06 10:08 · Score: 3, Insightful

Considering Flash's extensive use as an attack vector this is great news. I would sleep better at night though if Firefox itself was also sandboxed; in fact I'm a bit surprised you can even sandbox Flash when the browser doesn't support it.
1. Re:Half Way There by godrik · 2012-02-06 10:27 · Score: 2
  
  Personnally, I run firefox using a separate user account which has read permission only where it needs. (for instance, no /etc and no /home except /etc/iceweasel and /home/firefox obvisouly)
2. Re:Half Way There by icebraining · 2012-02-06 11:53 · Score: 2
  
  A sandbox can permit saving files to a single specific directory while still denying access to any other directory.
  
  --
  Dilbert RSS feed
3. Re:Half Way There by PReDiToR · 2012-02-06 13:17 · Score: 2
  
  If you use Windows give Sandboxie a look over.
  When a file is downloaded you can recover to the directory the browser specifies or choose another location. Leaving it inside the sandbox and running it there (keygen, trial install) gives you the opportunity to remove the whole install if it contains malware, foistware or other crap you don't want.
  
  --
  
  Do not meddle in the affairs of geeks for they are subtle and quick to anger
sorry adobe, by nimbius · 2012-02-06 10:11 · Score: 5, Funny

the problem with flash security and flash in general is your corporate culture, as is evidenced by consistent prior refusals to patch egregious bugs.

consider HTML5. I personally liken it to a high caliber rifle in the face of your diseased and crippled cash cow.
so long, and please dont hesitate to continue pedaling the rest of your product line straight into the ground and hell beyond with the same toxic mismanagement as flash. We here on the internet will gladly engineer the future at your expense, until your corporate office is nothing more than the 21st century equivalent of bleached bones rotting in the noon-day sun, vultured by contractors and languishing at the precipice of bankruptcy.

--
Good people go to bed earlier.
Project Codename: Sieve by CyberDog3K · 2012-02-06 10:15 · Score: 5, Funny

Yes, let's all rely on Adobe, the company who wrote one of the planet's least secure multimedia delivery platforms in history, to save us from their own software. I'm sure the sandbox will be stable and secure and in no way, shape, or form, completely useless and awful.
1. Re:Project Codename: Sieve by Anomalyst · 2012-02-06 11:17 · Score: 2
  
  I cant imagine any of these "features" would have any possible positive aspect for me when using a browser.
  At best they are trivial convenience stuff to assist the marketdroids to present the sheeple with their "vision".
  I DONT want marketing dweebs running poorly concieved and even more poorly implemented code on my machine, no matter how well sandboxed.
  NoScript and Adblock FTW.
  
  --
  There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Re:A third layer of sandboxing? by icebraining · 2012-02-06 11:58 · Score: 3, Informative

NPAPI is just an API, not a sandbox. plugin-container just prevents flash from taking the browser with it when it crashes randomly, it doesn't protect anything from malicious code.

--
Dilbert RSS feed
Its about time by PPH · 2012-02-06 13:34 · Score: 2

My cat has been trying to bury Flash for years.

--
Have gnu, will travel.