What Is Sandboxing? Why Apple And Adobe Sandboxed Safari's Flash Player On Mac OS X Mavericks

  on
OS X Mavericks security
Adobe announced that Mac users of Flash Player will be protected in the new Safari for OS X Mavericks with a technique called "sandboxing."

Following Tuesday’s Apple media event, which announced the same-day release of the new operating system for the Mac, OS X “Mavericks,” Adobe announced on one of its company blogs that Mac users of Flash Player will be protected in the new Safari for OS X Mavericks with a technique called "sandboxing."

“Thus far, we have worked with Google, Microsoft, and Mozilla on deploying sandboxes for their respective browsers," Peleus Uhley, Adobe’s platform security strategist, wrote on the Adobe Secure Software Engineering Team (ASSET) blog. "Most recently, we have worked with Apple to protect Safari users on OS X. With this week’s release of Safari in OS X Mavericks, Flash Player will now be protected by an OS X App Sandbox.”

What is sandboxing, and what does it mean for users?

A sandbox, according to UC Berkeley researchers Ian Goldberg, David Wagner, Randi Thomas and Eric Brewer, is a security mechanism used to separate various running programs to “execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.” In other words, a sandbox contains tightly controlled settings that disallow software from harming the host device — in this case, a virus or piece of malignant code hidden within a Flash Player (easily one of the most popular multimedia tools on the planet) won’t afflict a Mac running OS X Mavericks.

Sandboxing in this particular case, according to Adobe, means “there is a specific com.macromedia.Flash Player.plugin.sb file defining the security permissions for Flash Player when it runs within the sandboxed plugin process. As you might expect, Flash Player’s capabilities to read and write files will be limited to only those locations it needs to function properly.” Adobe also added its sandbox also limits the Flash Player’s networking privileges, device resources and inter-process communication (IPC) channels.

“Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections,” Uhley said on Adobe’s blog. “We’d like to thank the Apple security team for working with us to deliver this solution.”

Though Apple and Adobe have a long interconnected history, the relationship between the two tech giants became rocky in April 2010, when then-CEO Steve Jobs published an open letter on Apple’s website, called “Thoughts On Flash.” In the letter, Jobs explained why he simply refused to allow Adobe Flash on the iPhone, iPod and iPad. Mind you, this is the same month Apple released its first-ever iPad.

“Symantec recently highlighted Flash for having one of the worst security records in 2009,” Jobs said. “We also know first hand that Flash is the number one reason Macs crash. We have been working with Adobe to fix these problems, but they have persisted for several years now. We don’t want to reduce the reliability and security of our iPhones, iPods and iPads by adding Flash.”

Jobs ultimately argued Adobe needed to redesign Flash to support touch-based devices but was “painfully slow to adopt enhancements to Apple’s platforms,” and the Flash maker was never able to show the program “performing well on a mobile device, any mobile device,” thus making it unsuitable for Apple’s iPhone, iPad and iPod lines.

The next day, Adobe CEO responded to Jobs’ letter, telling the Wall Street Journal, “If Flash is the number one reason that Macs crash, which I’m not aware of, it has as much to do with the Apple operating system.” Five months later, Apple removed a number of controversial restrictions on third-party app tools and frameworks, and allowed the deployment of Adobe Flash on iOS for developers using Adobe’s iOS Packager.

For the release of OS X Mavericks, Adobe also sandboxed their versions of Reader and Acrobat, which used to be big targets for malicious attacks on the Web before Adobe committed to tightening them up earlier this year.

About OS X Mavericks

Introduced at WWDC 2013 in June, OS X Mavericks introduces plenty of new features to the Mac experience, including the new Tabbed Finder and Tags system for keeping files orderly, and the ability to run full-screen apps on multiple displays.

Mac OS X users are used to looking at their files in separate windows, but Apple has merged these windows into orderly tabs in the release of OS X Mavericks, with each tab fitted with its own custom-view setting. With Tags in OS X Mavericks, users can save their documents with as many tags as they want, either previously listed or created on the fly, which makes it exceedingly easy to search through one’s files later. And with full-screen apps optimized for multiple displays in OS X Mavericks, users can utilize Spaces to swipe back and forth between various applications, and even drag assets across the apps. Apple TV owners can also use that display as yet another screen to do work.

In its OS X Mavericks release, Apple also makes Safari a much faster and more-effective browser for Mac users. Browsing through bookmarks, favorite sites and even links shared by others via social networks is extremely easy, and it’s all organized directly on the home page. And, of course, OS X Mavericks will be released with iCloud Keychain so you’ll never have to blame your faulty memory for having the same password for every site, or never being able to remember your various passwords.

Mac OS X Mavericks also introduces much-improved battery life for OS X power users, thanks to features like Compressed Memory, which rapidly compresses inactive memory used by the computer to give free space to any application in use; Timer Coalescing, which reduces the level of CPU interruptions and transitions by up to 72 percent from OS X Mountain Lion; and App Nap, which puts unused apps to “sleep” automatically. Apple also brought over more iOS features to the Mac in OS X Mavericks, including the new Maps and iBooks applications finally optimized for the Mac; the refurbished Notifications Center that makes it much easier to reply directly to emails, texts and FaceTime requests; and the new iCloud keychain, which is always encrypted and memorizes all of your passwords, including credit-card information.

Follow Dave Smith on Twitter

Join the Discussion