Google builds stronger Flash sandbox in Chrome

Windows XP version now also includes anti-exploit technology

Google today announced it had wrapped up work on a stronger Flash sandbox in the Windows version of Chrome, and would soon ship the same for its OS X browser.

Chrome 21, which launched July 31, completed efforts to ditch the aged NPAPI (Netscape Plugin Application Programming Interface) Flash plug-in for one built to Google's own PPAPI (Pepper Plugin Application Programming Interface) standard.

By porting Flash Player to PPAPI, Google's engineers were able to stuff the Adobe plug-in into a "sandbox" as robust as the one that protects Chrome itself.

"Windows Flash is now inside a sandbox that's as strong as Chrome's native sandbox, and dramatically more robust than anything else available," Justin Schuh, a Chrome engineer, in a post to the Chromium blog Wednesday.

A sandbox is an anti-exploit technology that isolates processes on the computer, preventing or at least hindering malware from letting hackers exploit an unpatched vulnerability, escalate privileges and push their attack code onto the machine.

Chrome was the first to sandbox Flash Player: Google shipped a "stable" build of the browser in March 2011 with a Windows sandbox for Flash. In May 2012, Adobe issued a sandboxed Flash plug-in for Mozilla's Firefox, although the open-source browser maker has struggled to diagnose a higher-than-usual number of Flash crashes since then.

Previously Chrome's Flash sandbox was only available on Windows Vista and Windows 7, but with Chrome 21 and the move to PPAPI, Google was able to extend coverage to Windows XP.

"[That's] critical given the absence of OS support for security features like ASLR and integrity levels [in Windows XP]," Schuh said.

Schuh claimed that Chrome is run by about 100 million Windows XP users.

According to Web analytics company Net Applications, Windows XP powered 46.6% of all Windows PCs that went online in July, a slightly larger share than the quickly-gaining Windows 7.

The port of Flash to PPAPI will reduce Flash crashes by 20%, and prepares Chrome for its debut on Windows 8, the upgrade Microsoft plans to start selling Oct. 26.

"Because PPAPI doesn't let the OS bleed through, it's the only way to use all Flash features on any site in Windows 8 Metro mode," Schuh wrote, referring to the tile-based environment that, along with a traditional desktop, comprises Windows 8.

Google added a Metro version of Chrome to the rougher "dev" channel in mid-June.

Although a fully-sandboxed Flash Player plug-in is yet not included in Chrome on OS X, Schuh said that the team "hope[s] to ship it soon."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about application security in Computerworld's Application Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts