Adobe confirms Flash Player is sandboxed in Safari for OS X Mavericks
After years of fighting malware and exploits facilitated through Adobe's Flash Player, the company is taking advantage of Apple's new App Sandbox feature to restrict malicious code from running outside of Safari in OS X Mavericks.
As outlined in a post to Adobe Secure Software Engineering Team (ASSET) blog, the App Sandbox feature in Mavericks lets Adobe limit the plugin's capabilities to read and write files, as well as what assets Flash Player can access.
Adobe platform security specialist Peleus Uhley explained that in Mavericks, Flash Player calls on a plugin file -- specifically com.macromedia.Flash Player.plugin.sb -- used to define security permissions defined by an OS X App Sandbox. The player's capabilities are then restricted to only those operations that are required to operate normally.
In addition, Flash Player can no longer access local connections to device resources and inter-process communications (IPC) channels. Network privileges are also limited to within OS X App Sandbox parameters, preventing Flash-based malware from communicating with outside servers.
Uhley noted that the company has effectively deployed some method of sandboxing with Google's Chrome, Microsoft's Explorer and Mozilla's Firefox browsers. Apple will now be added to that list as long as users are running Safari in Mavericks.
"Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections," Uhley said. "We'd like to thank the Apple security team for working with us to deliver this solution."
As outlined in a post to Adobe Secure Software Engineering Team (ASSET) blog, the App Sandbox feature in Mavericks lets Adobe limit the plugin's capabilities to read and write files, as well as what assets Flash Player can access.
Adobe platform security specialist Peleus Uhley explained that in Mavericks, Flash Player calls on a plugin file -- specifically com.macromedia.Flash Player.plugin.sb -- used to define security permissions defined by an OS X App Sandbox. The player's capabilities are then restricted to only those operations that are required to operate normally.
In addition, Flash Player can no longer access local connections to device resources and inter-process communications (IPC) channels. Network privileges are also limited to within OS X App Sandbox parameters, preventing Flash-based malware from communicating with outside servers.
Uhley noted that the company has effectively deployed some method of sandboxing with Google's Chrome, Microsoft's Explorer and Mozilla's Firefox browsers. Apple will now be added to that list as long as users are running Safari in Mavericks.
"Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections," Uhley said. "We'd like to thank the Apple security team for working with us to deliver this solution."
Comments
What if your ordinary (non web facing) app has a bug and accidentally deletes the user's home folder? Your company could be sued by that user and/or get lots of bad press, but App Sandbox would have stopped it from doing it.
I don't know why more companies aren't happy about App Sandbox. Not only does it stop web facing software possibly being exploited, but can also save a company from ruining their reputation or facing legal action.
What if your ordinary (non web facing) app has a bug and accidentally deletes the user's home folder? Your company could be sued by that user and/or get lots of bad press, but App Sandbox would have stopped it from doing it.
I Accept the Terms and Conditions covers all that sh!t
Does this mean Java is next ?! Oh goody if so !?
I really dig this setup -- Apple the 64-bit Superman or Ninja Warrior
fending off all attacks, alongside the 8-bit Nintendo or Atari
cartoonish pencil-neck geek wimps bowing to the superior force.
Oh, no! Apple is now closing Flash as well! Damn this closed environment! \s
I Accept the Terms and Conditions covers all that sh!t
Not necessarily. At least where I reside, a modern, western democracy, accepting terms and conditions may be considered as entering into a contract with a vendor. In this place, contract law is based on a principle of 'fairness to both (all) parties'. If terms and conditions can be shown to be basically unfair, they can be beaten. Of course, access to the law and the opportunity to make one's case isn't guaranteed, especially for those who are most susceptible to accepting unreasonable terms.
How do you know it's still a hog if you don't generally run it?
It's pretty well known, but now you can see for real in Mavericks my looking at the energy consumption tab on Activity Monitor.
Welcome to the forum .
I can't spek for the OP you replied to but It's pretty easy to do a quick and dirty experiment*, if you turn off click to Flash on a Flash heavy web page the Mac starts to heat up in seconds and the fan comes on and if it's a MBP on your lap it gets pretty darned hot, fast. Personally I like the Sandbox approach and Click to Flash so that even when i allow a Flash by choice (thanks to CtF) I know it's safe. I just have to allow the connection to Adobe via Little Snitch. :smokey:
* and of course you can use the Activity Monitor as Zoolook pointed out while I typed.
I really couldn’t care less about Flash on my Macs & have "Click To Flash" on each of them. Flash is still a resource hog.
Great, I hope now it will play nice with the new Maverick App Nap feature and stop sucking the battery so much.
Will this have any impact on the functionality of Adobe's "stand-alone" Flash Player application, used for the local testing of .swf content?
I'm guessing if you are testing the swf locally in Safari, it will still be sandboxed because it is the Flash plugin that is interacting with Mavericks security features. I'm wondering if Flash Player can still access the web cam and microphone. Probably. I think the sandbox mostly protects the file system and the network. Anyway Flash is mostly unnecessary for normal websites although I still need it for a few things. I have been using a lot of stand alone Flash executables lately though for full screen presentations. Nothing else does that as far as I know except Keynote but Keynote doesn't have any where near the feature set that Flash has. Flash is a very cool program, it just got abused on the web.
No.
I've resolved the Flash problem by uninstalling it altogether. So Flash never consumes resources or slows down my computer. :-)
If I do need to view a YouTube video (i.e. the older ones that doesn't yet support HTML5), then I switch to Google Chrome just for that page. Once done, I quit Chrome and go back to Safari.
When an update to Flash is pushed out by Adobe, all Flash content is blocked to your computer until you update.
That’s great for two reasons. First, it’s safe. Second, it will infuriate users enough to just get the HECK rid of Flash entirely.
How do you know poop tastes terrible if you don’t eat it?
1. ARE there any videos that the QuickTime window and HTML5 can’t cover?
2. You’re giving Chrome business!
3. I use Click2Flash as well, but I have Flash installed to force the QuickTime window instead of YouTube’s own HTML5 one. Has C2F been updated now that if I don’t have Flash at all I can always see the QuickTime window? I have absolutely no interest in using Google’s useless piece of trash “player”.