Apple Safari catches up with rivals on Flash security

While not a security cure-all, Apple's decision to finally place the Adobe Flash Player within its own sandbox in Safari will make one of hackers' favorite targets harder to exploit, experts say.

[Apple iCloud keychain in OS X Mavericks gets mixed reviews]

Adobe said Wednesday that starting with Apple's latest version of Mac OS X, Mavericks, Safari will leverage the same protective technique that has been used for sometime in other major Web browsers, including Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.

"I think this is long overdue," Bogdan Botezatu, security researcher for Bitdefender, said. "Most security issues on OS X are caused by third-party code such as Java or Flash Player."

Sandboxing refers to placing an application in a container that prevents the software from accessing computer resources or services that are not essential to its operation. The technique improves security by limiting hackers' options, if they are able to penetrate the container and compromise the application.

Of course, depending on the app, the available resources could still provide an avenue for taking control of a computer.

"While sandboxes are a powerful and appropriate security concept, they are not infallible and have been repeatedly bypassed in various implementations across platforms and vendors," Justin Clarke, security researcher at Cylance, said.

Nevertheless, sandboxing makes a successful attack harder, which is why it has been used to isolate the Flash Player, a browser plug-in used to play multimedia and interactive content on Web sites. Flash is a popular Web development platform.

Starting with Safari in Mavericks, the player's ability to read and write files will be limited, Paleus Uhley, platform security strategist for Adobe, said in the company's security blog.

The sandbox will also limit the player's local connections to device resources and inter-process communication (IPC) channels, which are used for message passing, synchronization, shared memory and remote procedure calls.

In addition, limits will be placed on the player's networking privileges, Uhley said.

Why Apple waited so long to secure Flash is unclear. However, Apple has not been a fan of the technology for sometime.

In 2010, then-Chief Executive Steve Jobs defended his decision not to support the technology in the iPhone, iPod and iPad, saying the technology had a poor security record, was unreliable and did not perform well on mobile devices.

[Apple end-to-end encryption far from bulletproof]

Apple's decision not to support Flash contributed to Adobe dropping Flash development for mobile devices a year later. Instead, the company shifted focus to HTML5, a web standard from the World Wide Web Consortium that provides similar capabilities.

On the personal computer, Flash remains an important Web platform, and it is likely Apple could no longer ignore the steady rise in the number of serious vulnerabilities found in the Flash Player.

"What remains to be seen is how strong the sandbox policy for Flash truly is," Max Vohra, security engineer for Security Innovation, said. "Like any mandatory access control framework, it's still possible to allow access to the wrong file or program."

A more secure Flash Player in Safari is not expected to have any impact on corporate use of the browser. Most companies use Internet Explorer, which comes with Microsoft Windows. The latter dominates the business market for operating systems.

"It's an important step, though I dont think it changes the browser landscape all that much, and certainly not for enterprise standards," Randy Heffner, analyst for Forrester Research, said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Apple

More about Adobe SystemsAppleForrester ResearchGoogleIPCMicrosoftMozillaWorld Wide Web Consortium

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

More videos

Blog Posts