Adobe Sets IE as Next Target in Flash Security Work
Adobe plans to tackle Microsoft's Internet Explorer (IE) in its ongoing work to "sandbox" its popular Flash Player within browsers, Adobe's head of security said today.
Yesterday, Adobe released a beta version of a sandboxed Flash Player plug-in for Mozilla's Firefox on Windows Vista and Windows 7 as a follow-up to a similar initiative in 2010 for Google's Chrome.
Next on the list: IE.
"IE has a big chunk of the user base," said Brad Arkin, senior director of security, products and services, in an interview Tuesday. "We want to do what protects the most users the fastest, so we're looking at how we can tackle sandboxing in IE."
Arkin's right about IE's market share: According to Web metrics company Net Applications, IE accounted for 53% of all browsers used last month worldwide, or more than double Firefox's 21% and almost triple Chrome's 19%.
But Akin declined to set a timetable for putting Flash within a sandbox inside IE.
"The way that Flash integrates with IE is at a very low level," he said, noting that the two programs frequently share the same memory space. IE also uses an entirely different plug-in infrastructure -- Microsoft's own ActiveX technology -- than other browsers.
"This will be a really steep hill to climb," said Arkin of the task of sandboxing the Flash plug-in for IE. "It will be a very different task compared to what we've done on Chrome and Firefox.... The difference is huge. We're still sorting through what is required on IE."
A sandbox isolates processes on the computer, preventing or at least hindering malware from letting hackers exploit an unpatched vulnerability, escalate privileges and push their attack code onto the machine.
Adobe first sandboxed Flash Player for Chrome in late 2010 after working with Google engineers; the Monday release of a sandboxed plug-in for Firefox came after similar cooperation from Mozilla engineers.
Arkin said Mozilla's developers "did a lot of work" to help Adobe during the development of the sandboxed Flash plug-in, including modifying Firefox. Arkin described the work with Mozilla as an "informal cooperation."
A similar process is taking place now with Microsoft. "There have been very active conversations between Adobe and Microsoft on this," said Arkin.
At a high level, constructing a sandboxed Flash plug-in for Firefox was similar to what Adobe had already done for Chrome, and the technology it debuted in Adobe Reader in November 2010.
Specifically, Adobe built a "broker," a low-privilege process that decides which functions Flash can conduct outside the sandbox, and mediates those requests between the plug-in on one hand, and Firefox and the operating system on the other.
The devil with the Firefox plug-in was in the details.
"Because Firefox is open source, we could often look into the browser code to get things working for Flash," said Arkin. "In some cases, it was clearly something that we needed to change in Flash or the broker, sometimes it wasn't clear and could go either way, and other times it was something that needed to change in Firefox. [The Mozilla] guys make sure that [the latter] got addressed."
Like the sandboxed Flash for Chrome, the beta plug-in for Firefox works only on Windows. "In the real world, Windows is where the bad guys go," said Arkin, explaining why Adobe hasn't crafted similar protection for Mac or Linux users of either Chrome or Firefox.
Adobe has no plans to add sandboxing to the Flash Player plug-ins that run in Apple's Safari or Opera Software's Opera browsers.
Chrome has another advantage over Firefox when it comes to Flash: Google bundles the Adobe software with its browser, patching Flash alongside Chrome using the latter's silent update mechanism.
"I'm not aware of any conversations between Adobe and Mozilla on bundling components [such as Flash] with Firefox," said Arkin when asked whether Mozilla would follow in Google's footsteps.
Instead, Adobe has been quietly beta testing a new silent update service for Flash -- again, mimicking work it did earlier for Reader -- that should launch in final form some time "in the next couple of months," said Arkin.
The beta of the sandboxed plug-in works on Firefox 4 and later, but Arkin cautioned users against trying it out on production or mission-critical Windows PCs. "We can really use the techy folks' help evaluating the beta," he said, referring to early adopters who aren't leery of preview software.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.