Apple Safari Catches Up with Rivals on Flash Security
While not a security cure-all, Apple's decision to finally place the Adobe Flash Player within its own sandbox in Safari will make one of hackers' favorite targets harder to exploit, experts say.
Fri, October 25, 2013
CSO — While not a security cure-all, Apple's decision to finally place the Adobe Flash Player within its own sandbox in Safari will make one of hackers' favorite targets harder to exploit, experts say.
Adobe said Wednesday that starting with Apple's latest version of Mac OS X, Mavericks, Safari will leverage the same protective technique that has been used for sometime in other major Web browsers, including Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.
"I think this is long overdue," Bogdan Botezatu, security researcher for Bitdefender, said. "Most security issues on OS X are caused by third-party code such as Java or Flash Player."
Sandboxing refers to placing an application in a container that prevents the software from accessing computer resources or services that are not essential to its operation. The technique improves security by limiting hackers' options, if they are able to penetrate the container and compromise the application.
Of course, depending on the app, the available resources could still provide an avenue for taking control of a computer.
"While sandboxes are a powerful and appropriate security concept, they are not infallible and have been repeatedly bypassed in various implementations across platforms and vendors," Justin Clarke, security researcher at Cylance, said.
Nevertheless, sandboxing makes a successful attack harder, which is why it has been used to isolate the Flash Player, a browser plug-in used to play multimedia and interactive content on Web sites. Flash is a popular Web development platform.
Starting with Safari in Mavericks, the player's ability to read and write files will be limited, Paleus Uhley, platform security strategist for Adobe, said in the company's security blog.
The sandbox will also limit the player's local connections to device resources and inter-process communication (IPC) channels, which are used for message passing, synchronization, shared memory and remote procedure calls.
In addition, limits will be placed on the player's networking privileges, Uhley said.
Why Apple waited so long to secure Flash is unclear. However, Apple has not been a fan of the technology for sometime.
In 2010, then-Chief Executive Steve Jobs defended his decision not to support the technology in the iPhone, iPod and iPad, saying the technology had a poor security record, was unreliable and did not perform well on mobile devices.
Apple's decision not to support Flash contributed to Adobe dropping Flash development for mobile devices a year later. Instead, the company shifted focus to HTML5, a web standard from the World Wide Web Consortium that provides similar capabilities.