Connect with us

Hi, what are you looking for?



Google Adds “Fully Sandboxed” Flash in Latest Chrome Beta

The Google Chrome team has moved the Flash plugin into a separate sandbox on all versions of Windows to make it harder for attackers to exploit.

The Google Chrome team has moved the Flash plugin into a separate sandbox on all versions of Windows to make it harder for attackers to exploit.

Attackers regularly target third-party browser plugins to gain control over the Web browser and the rest of the system. Even though Google tests and bundles Flash Player into Chrome, instead of having users download it separately, the code is from Adobe, not from Google. The Flash Player plugin bundled with Google Chrome was used last year and this year by researchers during the Pwn2Own hacking competition at CanSecWest.

“Today’s Chrome 21 beta release has fully sandboxed Flash on all versions of Windows,” Justin Schuh, a member of Google Chrome team, posted on Twitter. 

At the moment, not all plugins are sandboxed in Chrome. Sandboxing means that applications are isolated from other processes the browser is running, and prevents it from accessing other resources to take over the browser or the rest of the computer.

Schuh’s post seems to imply, however, that there are degrees of sandboxing. Google has had Flash in a sandbox as far back as 2010, but Schuh referred to a “fully sandboxed” version of the Flash plugin. Even if attackers mange to exploit a Flash vulnerability, as the VUPEN team did during Pwn2Own, the newer, more restrictive sandbox will prevent a system takeover.

We’ve reached out to Google to clarify the “fully sandboxed” comment and will update when we hear back.

However, early comments on the Google Chrome Releases blog indicate there may be a problem with Flash video on Chrome 21 beta. “All of a sudden the audio on all videos I played was choppy on all sites that I visited,” a user posted as a comment on the blog post. The videos appear to be Flash, and play just fine under other browsers, according to the comment.

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.