Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Adds “Fully Sandboxed” Flash in Latest Chrome Beta

The Google Chrome team has moved the Flash plugin into a separate sandbox on all versions of Windows to make it harder for attackers to exploit.

The Google Chrome team has moved the Flash plugin into a separate sandbox on all versions of Windows to make it harder for attackers to exploit.

Attackers regularly target third-party browser plugins to gain control over the Web browser and the rest of the system. Even though Google tests and bundles Flash Player into Chrome, instead of having users download it separately, the code is from Adobe, not from Google. The Flash Player plugin bundled with Google Chrome was used last year and this year by researchers during the Pwn2Own hacking competition at CanSecWest.

“Today’s Chrome 21 beta release has fully sandboxed Flash on all versions of Windows,” Justin Schuh, a member of Google Chrome team, posted on Twitter. 

At the moment, not all plugins are sandboxed in Chrome. Sandboxing means that applications are isolated from other processes the browser is running, and prevents it from accessing other resources to take over the browser or the rest of the computer.

Schuh’s post seems to imply, however, that there are degrees of sandboxing. Google has had Flash in a sandbox as far back as 2010, but Schuh referred to a “fully sandboxed” version of the Flash plugin. Even if attackers mange to exploit a Flash vulnerability, as the VUPEN team did during Pwn2Own, the newer, more restrictive sandbox will prevent a system takeover.

We’ve reached out to Google to clarify the “fully sandboxed” comment and will update when we hear back.

However, early comments on the Google Chrome Releases blog indicate there may be a problem with Flash video on Chrome 21 beta. “All of a sudden the audio on all videos I played was choppy on all sites that I visited,” a user posted as a comment on the blog post. The videos appear to be Flash, and play just fine under other browsers, according to the comment.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.