Adobe Sandboxes Flash in Firefox

I am happy to post that Adobe has released beta code for sandboxing Flash content within Firefox.  Sandboxing is an excellent way to isolate ancillary code from the operating system and other applications.  I have been using it for years to keep my browser and its myriad vulnerabilities isolated after experimenting with it in malware analysis.  It just makes sense to contain the raft of cruft that tends to come in from an uncontroled, but necessary network, like the Internet.

It is not a foolproof method for containing all malware or avoiding malicious content, but it cuts down significantly on the impact of what mal-content can do by restricting its reach, and it increases the cost, package size, and effort required on the part of the bad guys to get through an additional layer of defense.  Every defensive layer that they have to identify and circumvent presents another opportunity to discover and analyze their attack code…

Adobe used elements of Google’s Chrome sandboxing technology in its Reader code after a flurry of vulnerability announcements and high profile attacks targeting the application.  Adobe says that since its launch in November 2010, they have not seen a single successful exploit in the wild against Adobe Reader X, where they initially offered sandboxing technology.

The new code currently supports Firefox 4.0 or later running on Windows 7 or Vista.  Adobe promises wider browser protection soon.  More details will be given at the CanSecWest security conference in Vancouver, BC next month.  I sure would like to attend this conference.  Maybe I will meet some of you there?!

UPDATE:  ComputerWorld reports that IE is next on Adobe’s list to “sandbox” its popular Flash Player within browsers, Adobe’s head of security said today.

Advertisements

Adobe Flash XSS Patch

Adobe has issued a patch for Flash after 0-day cross site scripting (XSS) attacks were detected in the wild using email as the primary attack vector.

Anyone with Flash Player 10.3.181.16 or earlier for Windows, Mac, or Linux should update to 10.3.181.22 (10.3.181.23 for ActiveX) ASAP.  Flash running on Android devices is also affected, and will be addressed in a separate fix this week.

CVE-2011-2107 is rated as “important” by the vendor, rather than the expected critical.  The patch was considered serious enough for Adobe to fix it outside of its normal monthly cycle, all part of the company’s reformed ‘beter safe than sorry’ attitude in the wake of repeated attacks on its products and add-ons during 2008, 2009, and 2010.

http://get.adobe.com/flashplayer/

Another Busy Patch Release Day…

Microsoft has released 14 patches against 34 vulnerabilities, plenty of them are remote code execution, however most were privately disclosed.  Adobe has half a dozen.

It’s just so much easier to go to the SANS website rather than have me do a quick rehash of the excellent job they’ve already done in analyzing these vulnerability reports.  Take the CRITICALS on the board to heart when consiudering priorities.  There are a number of vulnerabilities in this patch release that I am going to be placing on my watch list, and I expect them to get some quick play on the dev boards.  Also note the exploit code and 0-day updates.  http://isc.sans.edu/diary.html?storyid=9361

Adobe also released a number of patches for their products, patching 6 vulnerabilities in Flash Player, all of them rated critical.   Today’s update was 2010’s third for Flash Player, a browser plug-in that’s installed on an estimated 99% of all personal computers.  Previous updates in March and June have fixed a total of 33 other flaws.  One of the patches is a second try for Adobe.  The company tried to patch the CVE-2010-2188 flaw in Flash Player 2 months ago.  However, about 2 weeks later, Adobe admitted its fix had failed, leaving users hanging with technical information and research papers published about the vulnerability.

Adobe revealed only the scantest of details about the freshly patched bugs in their security advisory.  5 of the 6 were labeled as “memory corruption” vulnerabilities, while the 6th could potentially be used in a “click-jacking” attack.  Adobe is unaware of any in-the-wild exploitation of the vulnerabilities. 

Here are the links to the each of the security updates,

Flash Media Server – Rated Critical by Adobe

Adobe AIR and Flash – Rated Critical by Adobe

ColdFusion – Rating : Rated Important by Adobe