Google improves Flash sandbox, Chrome safer than ever

By on November 14, 2012, 3:30 PM

Google silently rolled out an update to Chrome which featured an unusual change, apparently one worthy of an announcement on the Chrome Blog: improved Adobe Flash plug-in sandboxing. The company claims its new method of fortifying Flash makes Adobe's plug-in every bit as secure as Chrome's native sandboxing techniques.

To harden Flash against would-be Chrome hackers, Google says it's been working closely with Adobe to create a custom solution. The fruit of this partnership has yielded a Flash plug-in which -- if attacked -- will relegate a hacker's exploits to a single Chrome process. Unless hackers discover a method to escape Google's improved Chrome-Flash sandbox, the security measure will insulate the host operating system from virtually any threat posed by Flash.

Of course, if there is a way to escape Chrome's newest Flash sandbox, hackers will find it eventually. Google actually counts on this though, utilizing its Pwnium contest as a way to transmogrify this inevitable truth into better Chrome security. Last year, controversial security firm Vupen was thought to have a working Flash sandbox exploit for Chrome.

Currently, Google awards Chrome hackers $60,000 for disclosing their zero-day recipes. Partial and conciliatory hacks net those same security nerds a cool $40,000 or $20,000, respectively. Although exposing a Flash vulnerability would only qualify for the $20,000 reward, escaping the sandbox which attempts to isolate the plug-in and utilizing that vulnerability to attack the host operating system would most certainly qualify for the sixty grand.

The improved Flash sandbox has made its way to all platforms, including Windows, Mac OS, Linux and Chrome OS.




User Comments: 4

Got something to say? Post a comment
1 person liked this | bugejakurt said:

Is this security improvement implemented in the latest stable release: "23.0.1271.64" ?

TJGeezer said:

Good question, but doesn't Chrome automatically update its plugins as updates come available? That would include the Flash sandbox, I'd think. Maybe someone knows for sure.

bugejakurt said:

Yes, but I think the plugin updates although they happen silently in the background , they are updated with a release package, I.e. the Google Chrome version is incremented to show an update. I also think that updates, even updates to plugins are noted in the Google Chrome releases blog at http://googlechromereleases.blogspot.com/

Can 'Rick' give us some additional details please?

Thanks in advance.

RandomGKL RandomGKL said:

This update broke flash sound, had to disable the built in flash and install another version of flash manually to get it working again (2 hours work including research to find out the problem).

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.