Saturday, October 26, 2013

Sandboxing Flash:
Safari 7 Is Adobe's Nanny


Adobe has been very naughty. Nanny is not pleased. So it's off to isolation in the sandbox with Adobe Flash, that retrobate obnoxious-ware of the Internet that has been more dangerous than useful.

Good news: Apple has joined the nanny crew and sent obstreperous, unreliable Flash off the sandbox in Safari 7.

As per the SANS Institute via NewsBites Volume 15 Number 083:
Adobe Flash Player is now sandboxed in Apple's Safari browser. Adobe has already released sandboxed versions of Flash for Firefox, Chrome, and Internet Explorer. When software is sandboxed, it is granted limited privileges on a system; it may be prohibited from writing to a storage device or altering data in memory. The sandboxed version of Flash for Safari is for machines running OS X 10.9 Mavericks.
SANS also provides a couple links with details about the change:

What's Sandboxing?

Let's see what Wikipedia says:
The sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization.
IOW: It's a safe space for isolating bad actors from good actors on your computer.

Note, however, that Java was supposed to be 'sandboxed'. That didn't work thanks to Oracle infesting it with code that leaped outside of the sandbox, directly into open computer space. Therefore, it's important to be wary of anything labeled as 'sandboxed' that may in fact be leaking sand into places you don't want it to go. Time will tell if the Flash 'sandbox' is actually safe or not.

And no, sorry but this sandboxed version of Flash does not sandbox on earlier versions of Apple's Safari. It is exclusively supported in OS X Mavericks 10.9 and above.

The best way to avoid naughty Flash from putting your computer at risk is to make certain it is up-to-date: