Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sandboxed Flash Player Coming To Firefox

Posted by Soulskill on from the box-in-the-fox dept.

Trailrunner7 writes "Adobe, which has spent the last few years trying to dig out of a deep hole of vulnerabilities and buggy code, is making a major change to Flash, adding a sandbox to the version of the player that runs in Firefox. The sandbox is designed to prevent many common exploit techniques against Flash. The move by Adobe comes roughly a year after the company added a sandbox to Flash for Google Chrome. Flash, which is perhaps the most widely deployed piece of software on the Internet, has been a common attack vector for several years now, and the attacks in some cases have been used to get around exploit mitigations added by the browser vendors. The sandbox is designed to prevent many of these attacks by not allowing exploits against Flash to break out into the browser itself."

14 of 86 comments (clear)

  1. Here's my hope. by Moryath · · Score: 4, Insightful

    Maybe sandboxing the damn flash player will stop it from periodically causing Firefox to hang for 30 seconds or so thanks to some damn ugly "full motion video" ad that's trying to load up?

    I'd love to see a ban on FMV ads. Double for FMV ads that start themselves automatically, and quadruple for those fucking ads that blast audio after doing so.

    1. Re:Here's my hope. by Galestar · · Score: 5, Informative

      I'd love to see a ban on FMV ads...

      Install FlashBlock

      --
      AccountKiller
    2. Re:Here's my hope. by Hatta · · Score: 5, Informative

      Why are you not using NoScript?

      --
      Give me Classic Slashdot or give me death!
    3. Re:Here's my hope. by cmarkn · · Score: 3, Insightful

      Yes, because clicking once for each domain that provides scripts to the site, the first time you visit it, is such a nightmare.

      --
      People should not fear their government. Governments should fear their people.
    4. Re:Here's my hope. by Hatta · · Score: 4, Interesting

      Funny how my mac using artist girlfriend has no problems whatsoever with that "usability nightmare". Since she discovered it (on her own, no software evangelism in this household), she regularly comments on how awful the internet is when she has to use it without NoScript. THAT is the real usability nightmare.

      --
      Give me Classic Slashdot or give me death!
  2. Whitelist by sakdoctor · · Score: 4, Insightful

    The whitelist for flash is in the single digits. Most sites don't need that privilege.
    Youtube, a couple of porn sites ... that's about it really.

  3. Half Way There by rsmith-mac · · Score: 3, Insightful

    Considering Flash's extensive use as an attack vector this is great news. I would sleep better at night though if Firefox itself was also sandboxed; in fact I'm a bit surprised you can even sandbox Flash when the browser doesn't support it.

  4. sorry adobe, by nimbius · · Score: 5, Funny

    the problem with flash security and flash in general is your corporate culture, as is evidenced by consistent prior refusals to patch egregious bugs.

    consider HTML5. I personally liken it to a high caliber rifle in the face of your diseased and crippled cash cow.
    so long, and please dont hesitate to continue pedaling the rest of your product line straight into the ground and hell beyond with the same toxic mismanagement as flash. We here on the internet will gladly engineer the future at your expense, until your corporate office is nothing more than the 21st century equivalent of bleached bones rotting in the noon-day sun, vultured by contractors and languishing at the precipice of bankruptcy.

    --
    Good people go to bed earlier.
  5. Project Codename: Sieve by CyberDog3K · · Score: 5, Funny

    Yes, let's all rely on Adobe, the company who wrote one of the planet's least secure multimedia delivery platforms in history, to save us from their own software. I'm sure the sandbox will be stable and secure and in no way, shape, or form, completely useless and awful.

  6. Re:'bout time! by jjjhs · · Score: 5, Informative

    They isolated plugins (incl Flash and Silverlight) from crashing the browser a long time ago. Version 3.6 or something.

  7. Re:'bout time! by __1200333 · · Score: 5, Informative

    Switching from on-board to usb audio on windows 7 reliably hangs flash for me.

    However, you CAN do something about it! Find the right plugin-container.exe process (usually easy because it's the one taking hundreds of megabytes) and kill it. Firefox will now resume and give you the "your plugin has crashed" screen wherever flash was embedded previously.

  8. Re:'bout time! by icebike · · Score: 3, Interesting

    Chrome Already sandboxes Flash, but only if you turn it on, and only in the DEV branch (Version 17 is current dev version as of this writing).

    You can turn it on as explained here: https://plus.google.com/u/0/116560594978217291380/posts/CJvbAMkBiNf

    --
    Sig Battery depleted. Reverting to safe mode.
  9. Re:A third layer of sandboxing? by icebraining · · Score: 3, Informative

    NPAPI is just an API, not a sandbox. plugin-container just prevents flash from taking the browser with it when it crashes randomly, it doesn't protect anything from malicious code.

    --
    Dilbert RSS feed
  10. Re:'bout time! by Justin_Schuh · · Score: 4, Informative

    Actually, Flash has been sandboxed in Chrome for about a year, but it's not fully sandboxed. To explain, the Chrome sandbox architecture supports five levels on Windows. Chrome's web content and its native PDF reader run at USER_LOCKDOWN and JOB_LOCKDOWN (level 5), which means a deny-only token. Right now Chrome's Flash sandbox runs at USER_INTERACTIVE (level 2) plus low-integrity level (just a bit better than IE's sandbox). However, we've been working for almost two years on a version of Flash that runs in as strong a sandbox as native Chrome content. My post was explaining how to test an alpha release of that improved Flash sandbox.