Apple Safari catches up with rivals on Flash security

While not a security cure-all, Apple's decision to finally place the Adobe Flash Player within its own sandbox in Safari will make one of hackers' favorite targets harder to exploit, experts say.

[Apple iCloud keychain in OS X Mavericks gets mixed reviews]

Adobe said Wednesday that starting with Apple's latest version of Mac OS X, Mavericks, Safari will leverage the same protective technique that has been used for sometime in other major Web browsers, including Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.

"I think this is long overdue," Bogdan Botezatu, security researcher for Bitdefender, said. "Most security issues on OS X are caused by third-party code such as Java or Flash Player."

Sandboxing refers to placing an application in a container that prevents the software from accessing computer resources or services that are not essential to its operation. The technique improves security by limiting hackers' options, if they are able to penetrate the container and compromise the application.

Of course, depending on the app, the available resources could still provide an avenue for taking control of a computer.

"While sandboxes are a powerful and appropriate security concept, they are not infallible and have been repeatedly bypassed in various implementations across platforms and vendors," Justin Clarke, security researcher at Cylance, said.

Nevertheless, sandboxing makes a successful attack harder, which is why it has been used to isolate the Flash Player, a browser plug-in used to play multimedia and interactive content on Web sites. Flash is a popular Web development platform.

Starting with Safari in Mavericks, the player's ability to read and write files will be limited, Paleus Uhley, platform security strategist for Adobe, said in the company's security blog.

The sandbox will also limit the player's local connections to device resources and inter-process communication (IPC) channels, which are used for message passing, synchronization, shared memory and remote procedure calls.

In addition, limits will be placed on the player's networking privileges, Uhley said.

Why Apple waited so long to secure Flash is unclear. However, Apple has not been a fan of the technology for sometime.

In 2010, then-Chief Executive Steve Jobs defended his decision not to support the technology in the iPhone, iPod and iPad, saying the technology had a poor security record, was unreliable and did not perform well on mobile devices.

[Apple end-to-end encryption far from bulletproof]

Apple's decision not to support Flash contributed to Adobe dropping Flash development for mobile devices a year later. Instead, the company shifted focus to HTML5, a web standard from the World Wide Web Consortium that provides similar capabilities.

On the personal computer, Flash remains an important Web platform, and it is likely Apple could no longer ignore the steady rise in the number of serious vulnerabilities found in the Flash Player.

"What remains to be seen is how strong the sandbox policy for Flash truly is," Max Vohra, security engineer for Security Innovation, said. "Like any mandatory access control framework, it's still possible to allow access to the wrong file or program."

A more secure Flash Player in Safari is not expected to have any impact on corporate use of the browser. Most companies use Internet Explorer, which comes with Microsoft Windows. The latter dominates the business market for operating systems.

"It's an important step, though I dont think it changes the browser landscape all that much, and certainly not for enterprise standards," Randy Heffner, analyst for Forrester Research, said.

This story, "Apple Safari catches up with rivals on Flash security" was originally published by CSO.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.