Vulnerabilities / Threats
12/1/2010
07:25 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Chrome Puts Flash In Security Sandbox

By mitigating Flash's liabilities, Google stands to gain from Flash's benefits.

Google and Adobe on Wednesday announced the addition of a new security sandbox for Adobe Flash Player that will allow the software to operate with less risk in Google's Chrome Web browser. Sandboxes for computer code prevent applications, and those who exploit them, from accessing protected computing resources, thereby mitigating many attacks.

Adobe redoubled its security efforts last year as it became apparent just how many holes there were in its popular Acrobat, Reader, and Flash applications. In March, security vendor F-Secure said Reader was the application most frequently targeted by malware in 2009. Flash's reputation has suffered too, thanks in part to Apple CEO Steve Jobs's condemnation of the technology earlier this year.

Adobe has been working to address security concerns and finally has something to show for its efforts. Last month, the company released Reader X for Windows with sandboxing technology.

Now, Google's Chrome has an Adobe sandbox, at least the versions available through the developer and canary channels. Wider release through the beta and stable channels can be expected shortly.

"This initial Flash Player sandbox is an important milestone in making Chrome even safer," said Google engineers Justin Schuh and Carlos Pizano in a blog post. "In particular, users of Windows XP will see a major security benefit, as Chrome is currently the only browser on the XP platform that runs Flash Player in a sandbox."

Schuh and Pizano say that in time Google intends to provide Flash sandboxing in Chrome for all supported operating systems.

The timing is good not only for Adobe, which needs to undo its reputation for vulnerable software, but for Google too, which is about to launch its Chrome Web Store. The fact that Chrome is the safest way to run Flash on Windows XP at the moment might just prompt a few more Internet Explorer 6 users to defect to Chrome.

That migration appears to be well underway. Last month, according to Net Applications, Google Chrome 7.0 gained 5.64% global usage share, the second highest monthly surge recorded by the company. The overall global usage share of all versions of Chrome reached 9.27% in November. That month, Microsoft Internet Explorer saw its overall global usage share for all versions slip to 58.41%, from 59.18% in October.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2227
Published: 2014-07-25
The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file.

CVE-2014-5027
Published: 2014-07-25
Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page.

CVE-2014-5100
Published: 2014-07-25
Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_...

CVE-2014-5101
Published: 2014-07-25
Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authn...

CVE-2014-5102
Published: 2014-07-25
SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.