I am happy to post that Adobe has released beta code for sandboxing Flash content within Firefox. Sandboxing is an excellent way to isolate ancillary code from the operating system and other applications. I have been using it for years to keep my browser and its myriad vulnerabilities isolated after experimenting with it in malware analysis. It just makes sense to contain the raft of cruft that tends to come in from an uncontroled, but necessary network, like the Internet.
It is not a foolproof method for containing all malware or avoiding malicious content, but it cuts down significantly on the impact of what mal-content can do by restricting its reach, and it increases the cost, package size, and effort required on the part of the bad guys to get through an additional layer of defense. Every defensive layer that they have to identify and circumvent presents another opportunity to discover and analyze their attack code…
Adobe used elements of Google’s Chrome sandboxing technology in its Reader code after a flurry of vulnerability announcements and high profile attacks targeting the application. Adobe says that since its launch in November 2010, they have not seen a single successful exploit in the wild against Adobe Reader X, where they initially offered sandboxing technology.
The new code currently supports Firefox 4.0 or later running on Windows 7 or Vista. Adobe promises wider browser protection soon. More details will be given at the CanSecWest security conference in Vancouver, BC next month. I sure would like to attend this conference. Maybe I will meet some of you there?!
UPDATE: ComputerWorld reports that IE is next on Adobe’s list to “sandbox” its popular Flash Player within browsers, Adobe’s head of security said today.