Adobe has released beta code for sandboxing its heavily hacked Flash code within Firefox, in a similar fashion to the Chrome security protections added to its Reader software and Google’s Chrome browser. “Sandboxing technology has proven very effective in protecting users by increasing the cost and complexity of authoring …
Flash will protect Firefox by crashing. No, wait, that's the current behavior.
I protected Firefox by not installing Flash :)
Hold on. So Adobe; the people responsible for all the holes in the plug-ins that are so frequently used to attack peoples computers are the same people implementing the sandbox? Isn't that like employing peodophiles to keep the kids safe in kindergarden?
@"Isn't that like employing peodophiles to keep the kids safe in kindergarden?"
No, it's not; Adobe didn't hack your system.
However it is like giving the "chaperone" who left the children alone in the company of a paedophile a training course and then re-employing them.
The protection relies on -
- using so much RAM and CPU that malware can't get a look in.
I protected firefox by installing Opera ;)
Same plugin, same exploit
You need the upcoming "out-of-process" plugin support in Opera 12 to avoid crashes and exploits through plugins.
As for everyone smarmily crowing over Adobe's security record: exploits are inevitable in any runtime. Adobe's products are a common target because they are very widely used and much of the other "low-hanging fruit" eg. Internet Explorer's ActiveX mechanism had been reasonably shored up.
"much of the other "low-hanging fruit" eg. Internet Explorer's ActiveX mechanism had been reasonably shored up."
ActiveX wasn't low hanging , it was on the ground rotting. ActiveX was one of the most braindead ideas Microsoft ever came up with and the competition there is pretty steep. "I know, lets allow browser plugins that run as native exes with full user permissions! What could possibly go wrong?". Fscking morons.
> Adobe's products are a common target because they are very widely used and much of the other "low-hanging fruit" eg. Internet Explorer's ActiveX mechanism had been reasonably shored up.
Sorry, did you mean "Adobe's products are a common target because Adobe are so far behind everyone else in securing their products that you can even use ActiveX as an example of something that's more secure."?
"ActiveX was one of the most braindead ideas Microsoft ever came up with and the competition there is pretty steep."
Auto-run being a close second?
"exploits are inevitable in any runtime"
Why? Because of poor requirements and specifications, poor reviews, poor coding, poor testing etc. etc,
FFS, if airplanes crashed at the rete computer programs did we'd all have to live underground and *nobody* would use them.
Accidents don't happen, accidents are caused.
Adobe have a senior security researcher? I'll be damned.
In every large company somebody has to write those huge standards documents that nobody ever reads.....
Yeah, it seems that the work experience kid didn't know how to make coffee. He had to do something while he was there...
Shutting the door after the horse has bolted and died of old age ....... some people never know when they have lost !
I protect Firefox by using NoScripts, duh
I love the way the thread has turned into a browser competition. All browsers use flash and all therefore have the same vulnerabilities to it.
Also good byline on the article, trying to dismiss how useful this will be.
> All browsers use flash and all therefore have the same vulnerabilities to it.
iOS browsers don't.
Not that I'm seriously putting them forward as entrants for any sort of "good browser" competition; that would be laughable.
A bit late?
Is it me or have the number of Flash security updates dropped off over the last few months?
Aren't the amount of security releases proportional to the amount of vulnerabilities that are being exploited. I don't recall seeing anything about vulnerabilities in the latest version, that are being exploited ( sure someone will correct me). Each of the security releases recently have been in response to a vulnerability that people were using in the wild. They will not make new security releases if there is nothing to secure against.
So now they are not having to firefight vulnerabilities, instead they will focus those resources on building more and better functionality. New functionality like say, a sand boxing function.....
Ass Backwards Logic
Correct me if I'm wrong, but I read that as adobe are spending programmer time building a sandbox solution to run their insecure code, rather than using the same programmer's time to build a secure solution in the first place, or dig out all the bugs in the current code.
Isn't that kind of ass backwards logic?
- Facebook offshores HUGE WAD OF CASH to Caymans - via Ireland
- Microsoft teams up with Feds, Europol in ZeroAccess botnet zombie hunt
- Justin Bieber BEGGED for a $200k RIM JOB – and got REJECTED
- Review Bigger on the inside: WD’s Tardis-like Black² Dual Drive laptop disk
- Inside Steve Ballmer’s fondleslab rear-guard action