or Connect
AppleInsider › Forums › Software › Mac OS X › Adobe confirms Flash Player is sandboxed in Safari for OS X Mavericks
New Posts  All Forums:Forum Nav:

Adobe confirms Flash Player is sandboxed in Safari for OS X Mavericks

post #1 of 39
Thread Starter 
After years of fighting malware and exploits facilitated through Adobe's Flash Player, the company is taking advantage of Apple's new App Sandbox feature to restrict malicious code from running outside of Safari in OS X Mavericks.

Flash


As outlined in a post to Adobe Secure Software Engineering Team (ASSET) blog, the App Sandbox feature in Mavericks lets Adobe limit the plugin's capabilities to read and write files, as well as what assets Flash Player can access.

Adobe platform security specialist Peleus Uhley explained that in Mavericks, Flash Player calls on a plugin file -- specifically com.macromedia.Flash Player.plugin.sb -- used to define security permissions defined by an OS X App Sandbox. The player's capabilities are then restricted to only those operations that are required to operate normally.

In addition, Flash Player can no longer access local connections to device resources and inter-process communications (IPC) channels. Network privileges are also limited to within OS X App Sandbox parameters, preventing Flash-based malware from communicating with outside servers.

Uhley noted that the company has effectively deployed some method of sandboxing with Google's Chrome, Microsoft's Explorer and Mozilla's Firefox browsers. Apple will now be added to that list as long as users are running Safari in Mavericks.

"Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections," Uhley said. "We'd like to thank the Apple security team for working with us to deliver this solution."
post #2 of 39
Great !!
post #3 of 39
I don't know why more companies aren't happy about App Sandbox. Not only does it stop web facing software possibly being exploited, but can also save a company from ruining their reputation or facing legal action.

What if your ordinary (non web facing) app has a bug and accidentally deletes the user's home folder? Your company could be sued by that user and/or get lots of bad press, but App Sandbox would have stopped it from doing it.
post #4 of 39
Quote:
Originally Posted by ascii View Post

I don't know why more companies aren't happy about App Sandbox. Not only does it stop web facing software possibly being exploited, but can also save a company from ruining their reputation or facing legal action.

What if your ordinary (non web facing) app has a bug and accidentally deletes the user's home folder? Your company could be sued by that user and/or get lots of bad press, but App Sandbox would have stopped it from doing it.

I Accept the Terms and Conditions covers all that sh!t

post #5 of 39

Does this mean Java is next ?!    Oh goody if so !?

post #6 of 39

I really dig this setup -- Apple the 64-bit Superman or Ninja Warrior

fending off all attacks, alongside the 8-bit Nintendo or Atari

cartoonish pencil-neck geek wimps bowing to the superior force.

post #7 of 39

Oh, no! Apple is now closing Flash as well! Damn this closed environment!   \s

post #8 of 39
I could really care less about Flash on my Macs & have "Click To Flash" on each of them. Flash is still a resource hog.
post #9 of 39
How do you know it's still a hog if you don't generally run it?
post #10 of 39
Quote:
Originally Posted by Chandra69 View Post
 

I Accept the Terms and Conditions covers all that sh!t

Not necessarily. At least where I reside, a modern, western democracy, accepting terms and conditions may be considered as entering into a contract with a vendor. In this place, contract law is based on a principle of 'fairness to both (all) parties'. If terms and conditions can be shown to be basically unfair, they can be beaten. Of course, access to the law and the opportunity to make one's case isn't guaranteed, especially for those who are most susceptible to accepting unreasonable terms. :)

Where are we on the curve? We'll know once it goes asymptotic!
Reply
Where are we on the curve? We'll know once it goes asymptotic!
Reply
post #11 of 39
Quote:
Originally Posted by soapyfrog View Post

How do you know it's still a hog if you don't generally run it?

 

It's pretty well known, but now you can see for real in Mavericks my looking at the energy consumption tab on Activity Monitor.

Do not overrate what you have received, nor envy others.
15" Matte MacBook Pro: 2.66Ghz i7, 8GB RAM, GT330m 512MB, 512GB SSD

iPhone 5 Black 32GB

iPad 3rd Generation, 32GB

Mac Mini Core2Duo 2.26ghz,...

Reply

Do not overrate what you have received, nor envy others.
15" Matte MacBook Pro: 2.66Ghz i7, 8GB RAM, GT330m 512MB, 512GB SSD

iPhone 5 Black 32GB

iPad 3rd Generation, 32GB

Mac Mini Core2Duo 2.26ghz,...

Reply
post #12 of 39
Quote:
Originally Posted by soapyfrog View Post

How do you know it's still a hog if you don't generally run it?

Welcome to the forum .

I can't spek for the OP you replied to but It's pretty easy to do a quick and dirty experiment*, if you turn off click to Flash on a Flash heavy web page the Mac starts to heat up in seconds and the fan comes on and if it's a MBP on your lap it gets pretty darned hot, fast. Personally I like the Sandbox approach and Click to Flash so that even when i allow a Flash by choice (thanks to CtF) I know it's safe. I just have to allow the connection to Adobe via Little Snitch. 1smoking.gif

* and of course you can use the Activity Monitor as Zoolook pointed out while I typed. 1biggrin.gif
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #13 of 39
Will this have any impact on the functionality of Adobe's "stand-alone" Flash Player application, used for the local testing of .swf content?
post #14 of 39
Quote:
Originally Posted by Lord Amhran View Post

I really couldn’t care less about Flash on my Macs & have "Click To Flash" on each of them. Flash is still a resource hog.
post #15 of 39

Great, I hope now it will play nice with the new Maverick App Nap feature and stop sucking the battery so much. 

post #16 of 39
Quote:
Originally Posted by aenghus View Post

Will this have any impact on the functionality of Adobe's "stand-alone" Flash Player application, used for the local testing of .swf content?

I'm guessing if you are testing the swf locally in Safari, it will still be sandboxed because it is the Flash plugin that is interacting with Mavericks security features. I'm wondering if Flash Player can still access the web cam and microphone. Probably. I think the sandbox mostly protects the file system and the network. Anyway Flash is mostly unnecessary for normal websites although I still need it for a few things. I have been using a lot of stand alone Flash executables lately though for full screen presentations. Nothing else does that as far as I know except Keynote but Keynote doesn't have any where near the feature set that Flash has. Flash is a very cool program, it just got abused on the web.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #17 of 39
Quote:
Originally Posted by aenghus View Post

Will this have any impact on the functionality of Adobe's "stand-alone" Flash Player application, used for the local testing of .swf content?

No.
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
Been using Apple since Apple ][ - Long on AAPL so biased
nMac Pro 6 Core, MacBookPro i7, MacBookPro i5, iPhones 5 and 5s, iPad Air, 2013 Mac mini, SE30, IIFx, Towers; G4 & G3.
Reply
post #18 of 39

I've resolved the Flash problem by uninstalling it altogether.  So Flash never consumes resources or slows down my computer.  :-)

 

If I do need to view a YouTube video (i.e. the older ones that doesn't yet support HTML5), then I switch to Google Chrome just for that page. Once done, I quit Chrome and go back to Safari.

post #19 of 39
Wow that took a long time...
post #20 of 39

When an update to Flash is pushed out by Adobe, all Flash content is blocked to your computer until you update.

 

That’s great for two reasons. First, it’s safe. Second, it will infuriate users enough to just get the HECK rid of Flash entirely.

 

Originally Posted by soapyfrog View Post
How do you know it's still a hog if you don't generally run it?

 

How do you know poop tastes terrible if you don’t eat it?

 

Originally Posted by _Rick_V_ View Post
If I do need to view a YouTube video (i.e. the older ones that doesn't yet support HTML5), then I switch to Google Chrome just for that page. Once done, I quit Chrome and go back to Safari.

 

1. ARE there any videos that the QuickTime window and HTML5 can’t cover?

2. You’re giving Chrome business!

3. I use Click2Flash as well, but I have Flash installed to force the QuickTime window instead of YouTube’s own HTML5 one. Has C2F been updated now that if I don’t have Flash at all I can always see the QuickTime window? I have absolutely no interest in using Google’s useless piece of trash “player”.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #21 of 39
Flash? What's that? 1wink.gif
post #22 of 39
Quote:
Originally Posted by digitalclips View Post


Welcome to the forum .

I can't spek for the OP you replied to but It's pretty easy to do a quick and dirty experiment*, if you turn off click to Flash on a Flash heavy web page the Mac starts to heat up in seconds and the fan comes on and if it's a MBP on your lap it gets pretty darned hot, fast. Personally I like the Sandbox approach and Click to Flash so that even when i allow a Flash by choice (thanks to CtF) I know it's safe. I just have to allow the connection to Adobe via Little Snitch. 1smoking.gif

* and of course you can use the Activity Monitor as Zoolook pointed out while I typed. 1biggrin.gif

Interesting choice of experiments - Method 1: open Activity Monitor; Method 2: measure time taken to toast one's meatballs. Hmm...

post #23 of 39
Quote:
Originally Posted by IQatEdo View Post

Not necessarily. At least where I reside, a modern, western democracy, accepting terms and conditions may be considered as entering into a contract with a vendor. In this place, contract law is based on a principle of 'fairness to both (all) parties'. If terms and conditions can be shown to be basically unfair, they can be beaten. Of course, access to the law and the opportunity to make one's case isn't guaranteed, especially for those who are most susceptible to accepting unreasonable terms. 1smile.gif

one word for you... (or a few) you need to get yourself indemnified... or not doing anything is the safest route...

or perhaps you are confusing the 10 day grace period that allows you to cancel a contract in Canada...
post #24 of 39
Quote:
Originally Posted by Tallest Skil View Post
 

 

1. ARE there any videos that the QuickTime window and HTML5 can’t cover?

 

 

Millions of FLV videos

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #25 of 39
Quote:
Originally Posted by poksi View Post

Oh, no! Apple is now closing Flash as well! Damn this closed environment!   \s

Both Chrome and Firefox were already sandboxing Flash. Apple's Safari, at least in Mavericks, is now just doing the same thing. It's not more closed because of it.

EDIT: Missed your sarcasm tag in the first read.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #26 of 39
I don't use Safari because of how limited it is, but I'm glad they've finally caught up with everyone else.
post #27 of 39
Quote:
Originally Posted by mstone View Post
 

Millions of FLV videos

Perian is your friend, makes FLV playable with Quicktime. 

post #28 of 39

I un-installed Flash when I move to my new Air this July. I used Chrome in a push.

Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
post #29 of 39
Originally Posted by BigMac2 View Post
Perian is your friend, makes FLV playable with Quicktime. 

 

Perian doesn’t work in Mavericks, nor will it ever. VLC plays FLV.

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #30 of 39
Quote:
Originally Posted by Tallest Skil View Post
 

 

Perian doesn’t work in Mavericks, nor will it ever. VLC plays FLV.

Damn it…  I'm still nostalgic of ResEdit, make me a dinosaur some time. 

post #31 of 39
I have just purchased my first iMac and have been trying to understand how to install Flash. Is Sandbox an add in once Flash has been installed, or is it automatically installed if I download Flash?
post #32 of 39
Quote:
Originally Posted by Dachar View Post

I have just purchased my first iMac and have been trying to understand how to install Flash. Is Sandbox an add in once Flash has been installed, or is it automatically installed if I download Flash?

 

The sandbox is an OS services and apps need to written to explicitly use it but Apple made it mandatory for apps going thru the Apps Stores. You only need to keep your Flash up to date and it should use it.  Sandboxed or not, this should have zero impact for the users, you don't have to worry much about those things.   

post #33 of 39
Quote:
Originally Posted by haar View Post


one word for you... 

or perhaps you are confusing the 10 day grace period that allows you to cancel a contract in Canada...

No confusion.

Where are we on the curve? We'll know once it goes asymptotic!
Reply
Where are we on the curve? We'll know once it goes asymptotic!
Reply
post #34 of 39
Thanks Apple Security for helping adobe fix their problems on other systems and browsers. One less feature Apple will have over the other crap software. It's what made a mac better for sure.
post #35 of 39
Quote:
Originally Posted by Tallest Skil View Post
 

1. ARE there any videos that the QuickTime window and HTML5 can’t cover?

2. You’re giving Chrome business!

3. I use Click2Flash as well, but I have Flash installed to force the QuickTime window instead of YouTube’s own HTML5 one. Has C2F been updated now that if I don’t have Flash at all I can always see the QuickTime window? I have absolutely no interest in using Google’s useless piece of trash “player”.

 

1.  Ummm... yes, millions (as mstone also pointed out). For about a decade, Flash was the defacto standard, and many vids will never be upgraded.  Even YouTube has tons of videos that will not work in HTML5.

 

2.  Not really, if you knew how little I have to resort to using Chrome. :-)  Essentially, I use Google Chrome for surfing Google properties, period.

 

3.  The problem with Click to Flash is that it advertises that Flash is installed.  And I don't want sites counting my browser among the flash-enabled masses in my normal daily surfing. 

 

Even AppleInsider here prompts me to install Flash every day, meaning that some ad on this site wants to use Flash to display and [potentially] track me with their LSO cookie.

 

 

post #36 of 39
Originally Posted by _Rick_V_ View Post

3.  The problem with Click to Flash is that it advertises that Flash is installed.  And I don't want sites counting my browser among the flash-enabled masses in my normal daily surfing. 

 

Wait, that’s the thing; it doesn’t. If you have Flash installed, C2F pulls up the inline QuickTime player on YouTube, et. al. If you don’t, it reverts to YouTube’s non-Flash player, which is the worst playback utility I’ve ever seen. 

 

Has that changed in recent versions of C2F? Since you don’t have Flash, have you been seeing the QuickTime player or YouTube’s player?

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply

Originally Posted by Slurpy

There's just a TINY chance that Apple will also be able to figure out payments. Oh wait, they did already… …and you’re already f*ed.

 

Reply
post #37 of 39
This is a good first step but I wish that all browsers would take sandboxing of Flash (and other plugins, especially Java) to a higher level, in particular, limiting the amount of CPU they can consume, like putting a governor on an engine.

Flash apps are terrible for the degree of CPU they will run up. A Flash app can bring my top of the line desktop to a crawl. Then for laptops it adds the fact that that will run your battery down more quickly too. My laptop usually gets about 4 hours on a charge but if I'm running a Flash game I like to play, I'm lucky to get 90 minutes.

So it would be great if there was a configuration value you could set that say limits to Flash app to no more than X percent of your CPU. In fact it would be great if that were a general option in the Activity Monitor for OSX, that you can set a max CPU utilization parameter for any app.
post #38 of 39
This is a good first step but I wish that all browsers would take sandboxing of Flash (and other plugins, especially Java) to a higher level, in particular, limiting the amount of CPU they can consume, like putting a governor on an engine.

Flash apps are terrible for the degree of CPU they will run up. A Flash app can bring my top of the line desktop to a crawl. Then for laptops it adds the fact that that will run your battery down more quickly too. My laptop usually gets about 4 hours on a charge but if I'm running a Flash game I like to play, I'm lucky to get 90 minutes.

So it would be great if there was a configuration value you could set that say limits to Flash app to no more than X percent of your CPU. In fact it would be great if that were a general option in the Activity Monitor for OSX, that you can set a max CPU utilization parameter for any app.
post #39 of 39
Quote:
Originally Posted by _Rick_V_ View Post
 

 

1.  Ummm... yes, millions (as mstone also pointed out). For about a decade, Flash was the defacto standard, and many vids will never be upgraded.  Even YouTube has tons of videos that will not work in HTML5.

 

Most flash video out there are plain h.264 video file encapsulated in a Flash video player, C2F allow many of those flash embedded h.264 stream to be played directly thru HTML5 and Quicktime, even gives us option to download the original h.264 stream.  Almost every Youtube video works thru C2F.  It worth reminds your Android devices do access the whole Youtube content thru native h.264 stream.

 

2.  Not really, if you knew how little I have to resort to using Chrome. :-)  Essentially, I use Google Chrome for surfing Google properties, period.

 

Chrome got is own flash player embedded, Google ads tracking network depend of Flash cookies ability of being undeletable and untracked by most browsers caches and cookies cleaners.  Google only protect their interests here. 

 

Quote:

3.  The problem with Click to Flash is that it advertises that Flash is installed.  And I don't want sites counting my browser among the flash-enabled masses in my normal daily surfing. 

 

Even AppleInsider here prompts me to install Flash every day, meaning that some ad on this site wants to use Flash to display and [potentially] track me with their LSO cookie.

 

I mostly prefer using the fake flash of C2F than resorting of using Chrome with flash embedded, and If you don't like being tracked, you should avoid chrome at all cost. 


Edited by BigMac2 - 10/30/13 at 12:00pm
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Adobe confirms Flash Player is sandboxed in Safari for OS X Mavericks