FRAMINGHAM, MASS. โ Adobe plans to tackle Microsoftโs Internet Explorer (IE) in its ongoing work to โsandboxโ its popular Flash Player within browsers, Adobeโs head of security said today.
Yesterday, Adobe released a beta version of a sandboxed Flash Player plug-in for Mozillaโs Firefox on Windows Vista and Windows 7 as a follow-up to a similar initiative in 2010 for Googleโs Chrome.
Next on the list: IE.
โIE has a big chunk of the user base,โ said Brad Arkin, senior director of security, products and services, in an interview Tuesday. โWe want to do what protects the most users the fastest, so weโre looking at how we can tackle sandboxing in IE.โ
Arkinโs right about IEโs market share: According to Web metrics company Net Applications, IE accounted for 53% of all browsers used last month worldwide, or more than double Firefoxโs 21% and almost triple Chromeโs 19%.
But Akin declined to set a timetable for putting Flash within a sandbox inside IE.
โThe way that Flash integrates with IE is at a very low level,โ he said, noting that the two programs frequently share the same memory space. IE also uses an entirely different plug-in infrastructure โ Microsoftโs own ActiveX technology โ than other browsers.
โThis will be a really steep hill to climb,โ said Arkin of the task of sandboxing the Flash plug-in for IE. โIt will be a very different task compared to what weโve done on Chrome and Firefoxโฆ. The difference is huge. Weโre still sorting through what is required on IE.โ
A sandbox isolates processes on the computer, preventing or at least hindering malware from letting hackers exploit an unpatched vulnerability, escalate privileges and push their attack code onto the machine.
Adobe first sandboxed Flash Player for Chrome in late 2010 after working with Google engineers; the Monday release of a sandboxed plug-in for Firefox came after similar cooperation from Mozilla engineers.
Arkin said Mozillaโs developers โdid a lot of workโ to help Adobe during the development of the sandboxed Flash plug-in, including modifying Firefox. Arkin described the work with Mozilla as an โinformal cooperation.โ
A similar process is taking place now with Microsoft. โThere have been very active conversations between Adobe and Microsoft on this,โ said Arkin.
At a high level, constructing a sandboxed Flash plug-in for Firefox was similar to what Adobe had already done for Chrome, and the technology it debuted in Adobe Reader in November 2010.
Specifically, Adobe built a โbroker,โ a low-privilege process that decides which functions Flash can conduct outside the sandbox, and mediates those requests between the plug-in on one hand, and Firefox and the operating system on the other.
The devil with the Firefox plug-in was in the details.
โBecause Firefox is open source, we could often look into the browser code to get things working for Flash,โ said Arkin. โIn some cases, it was clearly something that we needed to change in Flash or the broker, sometimes it wasnโt clear and could go either way, and other times it was something that needed to change in Firefox. [The Mozilla] guys make sure that [the latter] got addressed.โ
Like the sandboxed Flash for Chrome, the beta plug-in for Firefox works only on Windows. โIn the real world, Windows is where the bad guys go,โ said Arkin, explaining why Adobe hasnโt crafted similar protection for Mac or Linux users of either Chrome or Firefox.
Adobe has no plans to add sandboxing to the Flash Player plug-ins that run in Appleโs Safari or Opera Softwareโs Opera browsers.
Chrome has another advantage over Firefox when it comes to Flash: Google bundles the Adobe software with its browser, patching Flash alongside Chrome using the latterโs silent update mechanism.
โIโm not aware of any conversations between Adobe and Mozilla on bundling components [such as Flash] with Firefox,โ said Arkin when asked whether Mozilla would follow in Googleโs footsteps.
Instead, Adobe has been quietly beta testing a new silent update service for Flash โ again, mimicking work it did earlier for Reader โ that should launch in final form some time โin the next couple of months,โ said Arkin.
The beta of the sandboxed plug-in works on Firefox 4 and later, but Arkin cautioned users against trying it out on production or mission-critical Windows PCs. โWe can really use the techy folksโ help evaluating the beta,โ he said, referring to early adopters who arenโt leery of preview software.
Flash Player with sandboxing for Firefox can be downloaded from Adobeโs website; the company has also published release notes (download PDF) spelling out known problems and additional information.