Vulnerabilities / Threats
12/1/2010
07:25 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Chrome Puts Flash In Security Sandbox

By mitigating Flash's liabilities, Google stands to gain from Flash's benefits.

Google and Adobe on Wednesday announced the addition of a new security sandbox for Adobe Flash Player that will allow the software to operate with less risk in Google's Chrome Web browser. Sandboxes for computer code prevent applications, and those who exploit them, from accessing protected computing resources, thereby mitigating many attacks.

Adobe redoubled its security efforts last year as it became apparent just how many holes there were in its popular Acrobat, Reader, and Flash applications. In March, security vendor F-Secure said Reader was the application most frequently targeted by malware in 2009. Flash's reputation has suffered too, thanks in part to Apple CEO Steve Jobs's condemnation of the technology earlier this year.

Adobe has been working to address security concerns and finally has something to show for its efforts. Last month, the company released Reader X for Windows with sandboxing technology.

Now, Google's Chrome has an Adobe sandbox, at least the versions available through the developer and canary channels. Wider release through the beta and stable channels can be expected shortly.

"This initial Flash Player sandbox is an important milestone in making Chrome even safer," said Google engineers Justin Schuh and Carlos Pizano in a blog post. "In particular, users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox."

Schuh and Pizano say that in time Google intends to provide Flash sandboxing in Chrome for all supported operating systems.

The timing is good not only for Adobe, which needs to undo its reputation for vulnerable software, but for Google too, which is about to launch its Chrome Web Store. The fact that Chrome is the safest way to run Flash on Windows XP at the moment might just prompt a few more Internet Explorer 6 users to defect to Chrome.

That migration appears to be well underway. Last month, according to Net Applications, Google Chrome 7.0 gained 5.64% global usage share, the second highest monthly surge recorded by the company. The overall global usage share of all versions of Chrome reached 9.27% in November. That month, Microsoft Internet Explorer saw its overall global usage share for all versions slip to 58.41%, from 59.18% in October.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio