Adobe confirms Flash Player is sandboxed in Safari for OS X Mavericks

Posted:
in macOS edited January 2014
After years of fighting malware and exploits facilitated through Adobe's Flash Player, the company is taking advantage of Apple's new App Sandbox feature to restrict malicious code from running outside of Safari in OS X Mavericks.

Flash


As outlined in a post to Adobe Secure Software Engineering Team (ASSET) blog, the App Sandbox feature in Mavericks lets Adobe limit the plugin's capabilities to read and write files, as well as what assets Flash Player can access.

Adobe platform security specialist Peleus Uhley explained that in Mavericks, Flash Player calls on a plugin file -- specifically com.macromedia.Flash Player.plugin.sb -- used to define security permissions defined by an OS X App Sandbox. The player's capabilities are then restricted to only those operations that are required to operate normally.

In addition, Flash Player can no longer access local connections to device resources and inter-process communications (IPC) channels. Network privileges are also limited to within OS X App Sandbox parameters, preventing Flash-based malware from communicating with outside servers.

Uhley noted that the company has effectively deployed some method of sandboxing with Google's Chrome, Microsoft's Explorer and Mozilla's Firefox browsers. Apple will now be added to that list as long as users are running Safari in Mavericks.

"Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections," Uhley said. "We'd like to thank the Apple security team for working with us to deliver this solution."
«1

Comments

  • Reply 1 of 38
    Great !!
  • Reply 2 of 38
    asciiascii Posts: 5,941member
    I don't know why more companies aren't happy about App Sandbox. Not only does it stop web facing software possibly being exploited, but can also save a company from ruining their reputation or facing legal action.

    What if your ordinary (non web facing) app has a bug and accidentally deletes the user's home folder? Your company could be sued by that user and/or get lots of bad press, but App Sandbox would have stopped it from doing it.
  • Reply 3 of 38
    Quote:

    Originally Posted by ascii View Post



    I don't know why more companies aren't happy about App Sandbox. Not only does it stop web facing software possibly being exploited, but can also save a company from ruining their reputation or facing legal action.



    What if your ordinary (non web facing) app has a bug and accidentally deletes the user's home folder? Your company could be sued by that user and/or get lots of bad press, but App Sandbox would have stopped it from doing it.

    I Accept the Terms and Conditions covers all that sh!t

  • Reply 4 of 38

    Does this mean Java is next ?!    Oh goody if so !?

  • Reply 5 of 38

    I really dig this setup -- Apple the 64-bit Superman or Ninja Warrior

    fending off all attacks, alongside the 8-bit Nintendo or Atari

    cartoonish pencil-neck geek wimps bowing to the superior force.

  • Reply 6 of 38
    poksipoksi Posts: 481member

    Oh, no! Apple is now closing Flash as well! Damn this closed environment!   \s

  • Reply 7 of 38
    I could really care less about Flash on my Macs & have "Click To Flash" on each of them. Flash is still a resource hog.
  • Reply 8 of 38
    How do you know it's still a hog if you don't generally run it?
  • Reply 9 of 38
    iqatedoiqatedo Posts: 1,595member
    Quote:
    Originally Posted by Chandra69 View Post

     

    I Accept the Terms and Conditions covers all that sh!t


    Not necessarily. At least where I reside, a modern, western democracy, accepting terms and conditions may be considered as entering into a contract with a vendor. In this place, contract law is based on a principle of 'fairness to both (all) parties'. If terms and conditions can be shown to be basically unfair, they can be beaten. Of course, access to the law and the opportunity to make one's case isn't guaranteed, especially for those who are most susceptible to accepting unreasonable terms. :)

  • Reply 10 of 38
    zoolookzoolook Posts: 657member
    Quote:

    Originally Posted by soapyfrog View Post



    How do you know it's still a hog if you don't generally run it?

     

    It's pretty well known, but now you can see for real in Mavericks my looking at the energy consumption tab on Activity Monitor.

  • Reply 11 of 38
    MacProMacPro Posts: 18,166member
    soapyfrog wrote: »
    How do you know it's still a hog if you don't generally run it?

    Welcome to the forum .

    I can't spek for the OP you replied to but It's pretty easy to do a quick and dirty experiment*, if you turn off click to Flash on a Flash heavy web page the Mac starts to heat up in seconds and the fan comes on and if it's a MBP on your lap it gets pretty darned hot, fast. Personally I like the Sandbox approach and Click to Flash so that even when i allow a Flash by choice (thanks to CtF) I know it's safe. I just have to allow the connection to Adobe via Little Snitch. :smokey:

    * and of course you can use the Activity Monitor as Zoolook pointed out while I typed. :D
  • Reply 12 of 38
    Will this have any impact on the functionality of Adobe's "stand-alone" Flash Player application, used for the local testing of .swf content?
  • Reply 13 of 38
    Quote:

    Originally Posted by Lord Amhran View Post



    I really couldn’t care less about Flash on my Macs & have "Click To Flash" on each of them. Flash is still a resource hog.

  • Reply 14 of 38
    bigmac2bigmac2 Posts: 637member

    Great, I hope now it will play nice with the new Maverick App Nap feature and stop sucking the battery so much. 

  • Reply 15 of 38
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by aenghus View Post



    Will this have any impact on the functionality of Adobe's "stand-alone" Flash Player application, used for the local testing of .swf content?

    I'm guessing if you are testing the swf locally in Safari, it will still be sandboxed because it is the Flash plugin that is interacting with Mavericks security features. I'm wondering if Flash Player can still access the web cam and microphone. Probably. I think the sandbox mostly protects the file system and the network. Anyway Flash is mostly unnecessary for normal websites although I still need it for a few things. I have been using a lot of stand alone Flash executables lately though for full screen presentations. Nothing else does that as far as I know except Keynote but Keynote doesn't have any where near the feature set that Flash has. Flash is a very cool program, it just got abused on the web.

  • Reply 16 of 38
    MacProMacPro Posts: 18,166member
    aenghus wrote: »
    Will this have any impact on the functionality of Adobe's "stand-alone" Flash Player application, used for the local testing of .swf content?

    No.
  • Reply 17 of 38

    I've resolved the Flash problem by uninstalling it altogether.  So Flash never consumes resources or slows down my computer.  :-)

     

    If I do need to view a YouTube video (i.e. the older ones that doesn't yet support HTML5), then I switch to Google Chrome just for that page. Once done, I quit Chrome and go back to Safari.

  • Reply 18 of 38
    Wow that took a long time...
  • Reply 19 of 38

    When an update to Flash is pushed out by Adobe, all Flash content is blocked to your computer until you update.

     

    That’s great for two reasons. First, it’s safe. Second, it will infuriate users enough to just get the HECK rid of Flash entirely.

     

    Originally Posted by soapyfrog View Post

    How do you know it's still a hog if you don't generally run it?

     

    How do you know poop tastes terrible if you don’t eat it?

     

    Originally Posted by _Rick_V_ View Post

    If I do need to view a YouTube video (i.e. the older ones that doesn't yet support HTML5), then I switch to Google Chrome just for that page. Once done, I quit Chrome and go back to Safari.

     

    1. ARE there any videos that the QuickTime window and HTML5 can’t cover?

    2. You’re giving Chrome business!

    3. I use Click2Flash as well, but I have Flash installed to force the QuickTime window instead of YouTube’s own HTML5 one. Has C2F been updated now that if I don’t have Flash at all I can always see the QuickTime window? I have absolutely no interest in using Google’s useless piece of trash “player”.

  • Reply 20 of 38
    Flash? What's that? ;)
Sign In or Register to comment.