Several changes that Adobe made in Flash 11.3 aim to boost the browser plugin’s security and reduce its susceptibility to attacks. The most significant of those changes is the introduction of sandboxing on the Windows platform.
Due to the frequent discovery of Flash vulnerabilities and the relative ubiquity of the plugin, Flash is one of the most heavily-exploited pieces of software. Adobe and browser vendors have been working to make it harder to exploit by isolating the plugin and working to ensure that users have easier access to the latest version.
Most browsers already implement process isolation for plugins in order to prevent Flash crashes from taking down the whole application. In some browsers, such as Chrome, the plugin is sandboxed on Windows to prevent it from accessing sensitive platform functionality. Adobe has worked with Mozilla to bring that feature to Firefox on Windows.
The sandboxing takes advantage of native security features that Microsoft built into Windows Vista and Windows 7. The Flash plugin will operate in three separate processes, one that interacts with the browser, one that does the bulk of the Flash execution, and one that mediates control of underlying operating system features.
The main Flash process will be run at a “low integrity” level, which will prevent it from writing to the user’s profile, manipulating the registry, or sending messages to higher integrity processes. It will also be encumbered with a number of job restrictions that will further limit its access. In order to reach the filesystem or hardware devices, the sandboxed process will have to go through the OS broker process, which is designed to strictly limit access.
The sandboxing mechanism that will be used for Flash in Firefox is similar to the one that Adobe has already implemented in its Acrobat Reader software. Because the implementation relies on features that are built into Windows Vista and Windows 7, however, the Flash sandboxing will not be supported on Windows XP.
Flash has had sandboxing support in Chrome on Windows Vista and Windows 7 since 2011. Internet Explorer doesn’t quite have full Flash sandboxing yet, but already runs the plugin at a low integrity level. Bringing the sandboxing feature to Firefox is another positive step forward.
In addition to introducing sandboxing, Adobe has also been working on a background update system that will allow the plugin to be updated automatically, without requiring user intervention. Simplifying Flash updates will make it easier for Adobe to protect users from zero-day vulnerabilities.
Adobe first introduced the automatic updater on Windows earlier this year. Now Adobe is bringing it to Apple’s Mac OS X. The updater will use a launch daemon to check for updates every day. When an update is detected, it can automatically install it in the background without disrupting the user’s activities.
Alongside the addition of the background updater, Adobe has also taken the opportunity to add application signing, which allows the Flash plugin to run on systems where Gatekeeper is configured to block unsigned software.
The Flash plugin is supported in a restricted capacity in Windows 8, not available on iOS, being discontinued on Android, and soon to be phased out on the Linux desktop. It’s no longer a viable solution for developers who want to reach every screen. Although Flash is gradually heading towards obsolescence, Flash content will continue to be supported in some capacity while standards-based alternatives are maturing and gaining acceptance. As such, enhancements that help to reduce the security risks posed by the plugin are welcome developments.
