Chrome 21 hit Windows a few days ago and I’ve been meaning to write a post letting users know that they should know be running the PPAPI Flash Plugin by default (check chrome://plugins), which enables a far more restrictive sandbox.
How much stronger is this sandbox? IBM has written a wonderful whitepaper about it comparing the Firefox NPAPI Flash Sandbox, Chrome NPAPI Flash Sandbox, and the newly rolled out Chrome PPAPI Flash Sandbox.
The PPAPI Sandbox adds a number of restrictions. Here’s a few screenshots of the presentation that highlight some important areas.
As you can see the Pepper Flash is significantly more secure than the NPAPI Plugin used previously and currently. It has considerably reduced read access, write access, and registry access as well as stronger and more restrictive job tokens.
The first sandbox bypass for Chrome by Vupen used the Flash plugin because the sandbox for it was the weak link. Firefox’s sandbox has improved somewhat over the old Chrome sandbox but the latest iteration, Pepper, is much stronger than either of the two.
Flash exploits in the wild are going to drop significantly, just as they did with Adobe reader.
Chrome 21 is in Beta right now in it won’t be long before Chrome users are all benefiting from a much more powerful PPAPI Sandbox. The sandbox is built around the Adobe Flash Plugin, which has been commonly exploited in the past. Of the vulnerabilities used in the Blackhole Exploit Kit about 20% are Flash (65% Java, the rest PDF).
Chrome had previously sandboxed Flash player but it built the sandbox around Flash, leading to holes and looser restrictions. This time Flash has been built to work in the sandbox – the way it should be. This allows for a stronger sandbox.
The first public exploitation of Google Chrome was by Vupen in 2011. They broke through a “default installation of Chrome”, which includes Flash. It was confirmed later that it did in fact use the Flash plugin. Why did Vupen choose the Flash plugin? It’s the easy target – or it was.
Vupen’s exploit is ‘proof’ that the Flash sandbox was the easier target. It’s nice to see that Google is still taking steps to harden their sandbox even though it’s never been targeted in the wild.
Adobe Flash 11.3 for Firefox now runs in a sandbox! Yay. It’s not super strong, it should be virtually identical in nature to Chrome’s NPAPI sandbox, which Vupen broke out of twice. Still, this moves the cost of Flash exploitation far above what it used to be.
Chrome users will also be pleased to know that the PPAPI plugin has moved to 11.3 and it is really stable. I’m running it full time and youtube and google music run flawlessly.
So it’s a good day for security. You can expect Flash exploits in the wild to wither away because all three major browsers now sandbox it. Where will hackers go? Well… either we’ll start seeing more sophisticated attacks on the Windows system (kernel exploits, yada yada) or we’ll start seeing attacks on other plugins like… Java.
My advice… either EMET Java or uninstall it. It’s just gonna get worse for that plugin.