Finally! After pioneering sandboxing of Javascript and tabs in the browser, Chrome is now finally busy moving Flash into a sandbox. Windows users of the dev channel have been fed the new release with Flash sandboxing already.
Google and Adobe are working closely to better integrate Flash into the Chrome web browser. The first result of that work came earlier this year when the two companies announced that Chrome would ship with Flash built-in, to allow the plugin to make use of Chrome’s auto-update feature. Sandboxing Flash in Chrome is the next step.
“This first iteration of Chrome’s Flash Player sandbox for all Windows platforms uses a modified version of Chrome’s existing sandbox technology that protects certain sensitive resources from being accessed by malicious code, while allowing applications to use less sensitive ones,” write Justin Schuh and Carlos Pizano, software engineers at Google, “This implementation is a significant first step in further reducing the potential attack surface of the browser and protecting users against common malware.”
A lot of work still needs to be done, however, since this is only an initial release. “While we’ve laid a tremendous amount of groundwork in this initial sandbox, there’s still more work to be done,” the engineers add, “We’re working to improve protection against additional attack vectors, and will be using this initial effort to provide fully sandboxed implementations of the Flash Player on all platforms.”
Especially Windows XP users should benefit from this work, since Chrome will be the only browser sandboxing Flash on that archaic Windows version. If you’re in the dev channel and are experiencing problems, you can use --disable-flash-sandbox
to disable the feature – after filing a bug report, of course.
No word on when this will arrive for Linux and Mac OS X.
…but I’d prefer an Internet without having to use Flash, period.
Google didn’t exactly make a good example when they decided to include Flash with Chrome by default. Nice way to strengthen Adobe’s already ridiculous reach on the Web.
Weakened security of the entire browser right from the start is just a side effect.
Google has no other option. There are no (widespread) alternatives yet for advanced video delivery, like YouTube, that offer features like DRM support and subtitles.
Simply false, in fact, the very site you mention here can be used almost exclusively without Flash at all via http://www.youtube.com/html5
That’s for general video that doesn’t require DRM.
Have a look at what their video rental service uses:
http://www.youtube.com/store
Video doesn’t require DRM. By far the most use of video on the web is for small ads and personal videos.
Ahhhhh … you are on about something else entirely … video rentals. You are saying that content providers say that they require DRM (certainly I can’t see any content consumers saying they required DRM). Maybe so, but that is an entirely different thing to claiming that “video requires DRM”.
Video rental is a tiny market indeed, a very small sub-division of “Internet video”.
Solution: use a different, dedicated application to deliver DRM-encumbered on-demand video. Problem solved. Forget browsers, which are after all userland programs designed to render a wide range of material that is freely offered over the Internet for users to view. There should be no anti-user DRM requirement there.
Edited 2010-12-02 04:39 UTC
I think that is a growing market and I know that now Netflix streams more video than it distributes DVDs – here in the States anyway.
Maybe so, but it still is small enough and distinct enough from the general nature of the web that it could easily be served by a separate application.
It certainly isn’t a good enough reason to saddle every browser client with a requirement to support DRM. It serves the interests of only a teeny tiny percentage of people. It isn’t the interests of people who run browsers and watch video that is being served by DRM … in fact their rights are being “managed” (where “managed” is a euphamism for “restricted”) on their own machines.
For every billion people:
Those whose interests are “managed” by DRM ~= 10^9
Those whose interests are served by DRM ~= 9.
Edited 2010-12-02 07:50 UTC
O.K. I see what you are saying… I misunderstood your angle.
I don’t think Google would want to do this.
As one of their plans is Google Chrome OS and TV.
If people are creating seperate applications, instead of using general web technologies, then possible some things will not work on the Linux based Google Chrome OS or TV.
You obviously haven’t Heard of the BBC iPlayer.
Shows after been shown on the BBC are usually available for 1 week or until the next show comes out (whichever is longer usually). Some stuff that is one off and not expected to sell well is available for sometime.
Pretty Big think in the UK … and BBC will want to keep the DRM so that they can recoup the cash with Sales of BBC Series on DVD or Blu-ray. Which tbh is fair enough.
I don’t expect that the BBC will be going to HTML5 ever.
The BBC does not show any commercials in the uk (not sure about other countries if they broadcast there) … so it is impossible for them recoup their investment from advertising.
Edited 2010-12-02 17:44 UTC
I have heard of the BBC iPlayer … nothing but controversy. A huge headache, because it was a publicly funded program that was not offered to all of the public … it started as being Windows only.
The BBC would have been far better off to have written iPlayer as a separate, cross-platfrom application. Perhaps they could have used java or a cross-platform framework such as Qt (just like VLC is cross-platform multimedia player based on Qt). They could have made the iPlayer available to everyone in the UK who had Internet connection. They didn’t. Huge problem for a public-funded organisation. The BBC can’t legally take everyone’s money (via paying TV licenses) and then offer their service only to a subset of people. Not on.
Likewise, the very concept of DRM requires that the client-side code is closed-source. The only viable way to deliver that to all clients is via a separate, closed-source application.
Now, companies for the most part don’t have the same requirement that the BBC must operate under. Companies aren’t publicly-funded, and so they can legally provide a service to only a sub-set of people. The thing is, doing that only restricts their possible market. So even companies are better served by writing a separate, cross-platform, closed-source free application for their customers to use to rent & play their videos. The more people they cover with their application, the wider the market they can sell their service to.
Everyone wins.
Edited 2010-12-02 22:00 UTC
Yes originally, however there were software development management problems which hampered the iPlayer originally. Now it is available any desktop OS that supports flash, so Windows, MacOSX and Linux … and it is available on quite a few mobile devices such as iPhone and iPad.
How so? … the flash based solution covers 99.9% of their audience, so it is cross platform as much as it matters. If you referring when it was originally released (some years ago now) then I would agree. But that isn’t the case now.
Again serving flash content covers 99% of all desktop users and many mobile users as well. Most people have it installed.
If I were making a decision on how to serve content that needs DRM I would choose Flash, because pragmatically that is the best solution that requires the least amount of development time, rather than spending a lot of development time and money writing a cross platform app.
I would not call video rental a tiny market. It’s a fast growing market that is already fairly large and there was just a report out stating that just Netflix used up 20% of Americas bandwidth – http://www.zdnet.com/blog/networking/the-internet-belongs-to-netfli…
That is massive.
Course, flash really isn’t necessary for Netflix, I don’t think. I use a Roku box for my Netflix fix I’m not sure what it is using to stream it.
Video rental is a tiny market indeed, a very small sub-division of “Internet video”.
The Netflix stream is 21% of peak hour Internet download traffic in North America.
The Netflix client is built into your HDTV, video game console, Blu-Ray player, home theater receiver…
http://www.kansascity.com/2010/11/28/2478582/will-more-streaming-vi…
This has been discussed a million times over. Flash, and the display of flash video entails heaps of things more than the simple display of a video file and html5 is NOT a replacement for Flash — which is not the same as claiming that it cannot display videos.
Stop the nagging, there is no alternative to Flash. Again, that is not the same as saying there is no alternative to watching videos.
HTML5 is not a replacement for Flash.
HTML5 is not the entirity of web satndards, either. Web standards include HTML5, and also CSS3, SVG, ECMAscript, DOM and a range of others:
http://en.wikipedia.org/wiki/World_Wide_Web_Consortium#Standards
Those combined, working together, as they are meant to, are an alternative to Flash. Actually, they are a significant superset.
There are also emerging protocols, not yet standards, that go beyond even these:
http://en.wikipedia.org/wiki/Canvas_element
http://en.wikipedia.org/wiki/WebGL
http://en.wikipedia.org/wiki/Web_Open_Font_Format
http://en.wikipedia.org/wiki/Web_Workers
Flash can’t compete with all of this.
True but there is no reason for it to be all one way or all the other – use Flash and HTML5 in the respective scenarios where it makes sense. I loath Flash but the best one can do is limit its use to where it makes sense instead of abusing it like so many web developers seem to be hell bent on doing.
There are only a handful of sites I am forced to use Flash on–YouTube and a few porn sites (the video sections mostly). And if I played online games regularly (I don’t), those too. The rest almost all run fine without it. No one else includes Flash by default, so Google certainly did have a choice–they apparently just figured they’d get a larger number of Chrome users by including it with the browser. How, I don’t know–Flash already seems to be preinstalled on almost every computer. In reality, it doesn’t seem like it gains them much.
I think they wanted to do the process seperation for Flash, this maybe required a special build of flash. So it is better to just include it.
Its less about politics and more about making a great browser.
The underlying motivation is Chrome OS. They want to throw everything into the browser and don’t care if it means ensuring the Flash install base stays high.
They had a chance to displace Flash through YouTube but didn’t act on it.
But the good news is that Flash at least has competition now.
Just because Flash is bundled, doesn^aEURTMt mean you have to ever use it. That is a concious decision made by developers. Bundling Flash is for security reasons only. Adobe cannot be trusted to keep users secure. Their update mechanism is awful and their Flash download website tries to foister crapware on users.
Google didn^aEURTMt invest $120M in On2 for nothing. HTML5 video simply isn^aEURTMt nearly ready enough to wholesale replace Flash. It will when it is good and ready and Google are working on it.
It still advertises to every site that it is installed, adding a +1 to the count of visitors who have Flash–whether you ever really want to use it or not. Who says they want to help Adobe out in this way, inflating their already-high numbers?
Did I just read that right? That Google is trying to “keep users secure” by preinstalling one of the most insecure plugins on the face of the planet? If anything, it should be *left out* for security reasons. And strictly recommended *against* installing for safety.
Edited 2010-12-02 14:13 UTC
They are bundling it, so that Chrome updates also update Flash and they are now adding Sandboxing/process seperation.
I think that is an improvement over using the one that is already installed.
They could sandbox it without bundling it.
As UZ64 already pointed it out this isn’t about choosing to use it, the problem is that it boosts the Flash install base even if the user doesn’t need it.
If Google was actually concerned with user security then they would have removed Flash from YouTube after purchasing it. They go well beyond just using it for videos, have a look at the giant Flash ad that they have on the home page:
http://www.youtube.com/
And don’t tell me about Adobe and security. I’m the one who pointed out that a recent buffer overrun of theirs involved the textbook example of strcat(). You cannot read a book about buffer overruns without reading about strcat() and strcpy().
Google is not concerned with security. They after all got hacked by using IE6 internally. That is completely inexcusable given the nature of their business.
I’m a Opera & IE9 user, If sandboxing is really good then I want this features in IE & Opera too
Edited 2010-12-02 01:32 UTC
That’s good and all, but what about other plugins?
I object to calling Windows XP archaic
You mean…
“I objecteth to thine callingst Windows XP archaic!”
LOL! Just kidding.
XP is old, not archaic. Feature-wise it still compares well against most alternatives. Yes, there are better systems available now but there are plenty of worse too.
Firefox on XP runs Flash in a separate process. Doesn’t it qualify as a form of sandboxing?
It’s fine when it comes to running programs but security….bleh.
Yeah, because Windows 7 is so much better: http://www.osnews.com/story/21653/Microsoft_Won_t_Fix_Windows_7_s_U…
90% of exploits are using Flash and PDF. Google know this. Google knows that Adobe completely suck and can^aEURTMt get their act together so Google have to protect users from Adobe.
They^aEURTMve bundled Flash into Chrome so that it can be updated every 24 hours instead of 30 days. They^aEURTMve now sandboxed Flash, and they^aEURTMre building in a PDF viewer into Chrome so people don^aEURTMt have to download that abomination that is Acrobat.
Google are doing more for the average user^aEURTMs security here than Microsoft, Adobe and Anti-virus vendors combined. If most exploits are coming through the web browser, and the web browser is locked down enough, then it won^aEURTMt matter to the majority what OS they are using, even if it^aEURTMs old and “insecure”.
I don’t see how this might happen… are Google devs going to fix Flash code?
Flash is a protocol. Google’s implementation of it is not Adobe’s code, it is Google’s code. Different code, same protocol.
Here is yet another emerging implementation of the same protocol:
http://www.phoronix.com/scan.php?page=news_item&px=ODgzNQ
Lightspark is also not Adobe’s code, nor is it Google’s code. Different code.
So no, Google devs will not fix Adobe’s Flash, Google devs will work on the embedded Flash handler which is part of Chrome. Different thing entirely.
Edited 2010-12-02 12:24 UTC
That’s inaccurate Google Chrome doesn’t use it’s own implementation of Flash. Google actually is fixing Adobe’s code.
I believe Adobe allows all of their Open Screen Project partners access to their Flash Player code.
OK. My interpretation of the article as written was that there was some kind of partnership between Adobe and Google while in fact, this is not different from Chrome implementing CSS or JS: it’s just an implementation of a specification.
EDIT: well Kroc’s answer below is even hinting at the interpretation I had.
Edited 2010-12-02 15:21 UTC
No, but when there is a fix from Adobe, Google can push the update out to users within 24 hours, rather tan users having to wait 30 days for the Flash update prompt, which they then immediately dismiss.
Yea it is, here is a better link:
http://www.conceivablytech.com/3473/science-research/botnets-hit-wi…
ASLR, UAC and having a basic scanner installed by default makes life much harder for malware writers. That’s a fact.
That’s funny. What do you think has kept the Flash install base so high? Crappy Flash ads? Before Hulu got popular everyone was installing Flash exclusively for YouTube. Apple is the only company that has drawn a line with Flash, albeit for disingenuous reasons. Google is concerned with getting as many eyeballs as possible to see their ads, not security. There are small companies on thin budgets that tell IE6 users to F the hell off. What does billions in the bank Google do with them? Pussyfoots around and only shows Chrome ads to them on YouTube.
Windows7/Vista provide an additional line of defense. That recent Firefox drive-by attack at the Nobel website was only looking for XP users since the attack would trigger UAC in Windows7/Vista.
XP is an unneeded security risk. Its use should be absolutely discouraged.
As a non-windows user and webdeveloper, I just want Windows XP (and old IE-versions) to go away.
Windows XP is the last barrier which prevents us from using SSL/TLS (https) easily everywhere. This is because IE and Safari on Windows XP use the windows library for talking to https-websites/-servers and it does not support name-based virtual hosting for https-websites.
So a server has to be configured with extra IP-addresses, etc.
it works fine if people are using firefox or chrome though, right? they should be using these with windows 7 too, so I don’t blame ie shit bleed on xp, I blame it on ie
^aEURoetrigger UAC^aEUR|^aEUR
Allow.
Sure but it makes it a lot harder to hide a drive-by attack when it flags UAC. That Nobel website attack was looking at user agent strings to avoid 7 and Vista users.
new users should be encouraged to use windows 7, this is true
but if they happen to use any sort of antivirus-firewall-HIPS sort of software, and keep everything up to date, xp is A-OKAY
people do some strange thumb modding let me tell you
How about having more than just one mod counter, then? Eg., one for the “agree/disagree”, one for presentation, one for information content, humor etc.
The way it is now (everything mixed together), it is more a popularity contest than anything else. Even I can produce a comment that will earn +5 or more but it is simply no fun to write something obvious that everyone agrees with.
it’s not a simple problem to solve, that is for sure
I’ve been sandboxing plugins on Linux (not just Flash. Mind you, java & friends aren’t more secure.) since years.
It’s simple, in the past you were using a plugin wrapper, now you can use the integrated plugin wrappers.
They all start a separate process for the plugin.
That process is isolated with your favorite mandatory access control system, be it SELinux, RSBAC, TOMOYO, AppArmor or what not.
It’s also most likely a lot more secure than the way Chrome does it, since a bug in Chrome can only affect the initial sandbox startup here.
I actually think that all these sandboxes should be replaced by generic security (SELinux, RSBAC, ..) and work should be make to make them seemless or part of a dev API (eg if it’s supported the rules are auto setup by the program/package)
With the diversity of access control systems available, do you envision an API emerging?
It’s not that kind of sandboxing. They aren’t just putting Flash into it’s own process here. They are sandboxing the instances of Flash into separate processes. So in theory if one Flash object crashes the other instances is still remain.
This is what they wanted to do when they from the start (when they first showed off sandboxing) but couldn’t. Partly because they didn’t have access to Adobe’s code before.
“After pioneering sandboxing of Javascript and tabs in the browser, Chrome is now finally busy moving Flash into a sandbox.”
I thought opera and firefox tabbed browsing predated Chromium.
Every tab in chrome runs in its own process. This is why one tab can’t cause the entire browser to crash.
except it can. I’ve had chrome flake out on a tab plenty of times taking the entire app down with it. It also makes it use up an extraordinary amount of ram.
That would make sense. Chrome was the first to separate each tab into a separate system process. (ugly as sin in the task manager but if it works …)
My initial reading suggested only the tabbed browsing not each tab as a process.
Ironically, Chrome these days causes my entire *computer* to crash hard (10 secs without mouse movement, then shutdown). Ubuntu 10.04, nvidia. PPA snapshots haven’t fixed the issue.
That’s why I switched to running firefox 4 betas. Possibly as fast & responsive as chrome, but without sandboxing – and without hard computer crashes.
I’ve had a similar experience with Chrome on Windows. The system was so unresponsive it hadn’t even displayed the task manager after 25 minutes of waiting. Not quite a full OS crash, but there’s little practical difference when the system’s rendered unusable without a restart. Definitely puts me off using the browser.
Seriously? On Windows I find the latest FF4 beta so sluggish that it sometimes gives me flashbacks to browsing with Netscape 2 on a 386. After I’ve been using it for a while I can often count to 3 after clicking a tab before it displays.
Seriously?
Firefox 4 beta 7 is the fastest and most feature-full browser of all on most systems. You must be doing it wrong, somehow.
It’s hardly a “feature-full” browser compared with Opera… Maybe after a dozen different extensions have been installed to add a sidebar, mouse gestures, tab tiling, etc.
I’m open to the possibility that something has gone wrong with my clean install of FF4b7, but Opera and Chrome run just fine on the same PC.
Your whole system crashes? Wow.
Not using Chrome may solve your problem, but you’ve still got a problem in there, somewhere.
It could be the hardware. Chrome might be revealing a defective RAM stick or there’s a bug in the video drivers or the kernel.
If a web browser can crash your entire system, it really isn’t the browser’s fault.
Just sayin.
I know. Yet, I run pretty hard core stuff on it (windows xp on vmware) and yet chrome is the only thing that crashes it. And it does this pretty systematically.
It may be ram, bad computer model (Dell Precision M2400) or something, but not using Chrome is easier than getting the hardware debugged.
“If a web browser can crash your entire system, it really isn’t the browser’s fault. ” … unless it’s IE.
(I couldn’t resist.. )
This myth needs to die.
1. Child tabs pointing to the same domain as the parent will reuse its parent tab’s process. If one tab crashes, it takes the whole family with it.
2. Chrome has right now an upper limit on how many content processes it will spawn (around 35-40 last I checked). After that it will start distributing new domains to existing content processes.
3. I’ve had dead tabs crash the whole of Chrome since a couple of versions on two different operating systems. Symptoms: A tab is apparently loading but you can’t switch to it. If you close the tab, Chrome goes the way of the dodo.
Edited 2010-12-04 14:48 UTC
I haven’t tested it, but I wonder if it handles it better than firefox. I noticed the other day that when I’m playing a flash game (you can pry my tower defense games from my cold dead fingers) in a tab and I decide to tear the tab off into its own window, it reloads the flash file in the new tab. REEAAALLLY annoying when I’m on level 15 and about to take on the boss ;P
I really don’t see how anyone can play Flash games without wanting to chuck the computer across the room. Blinky ads, kludgey controls, ugh.
But on a positive note you should check out the South Park tower defense game on Xbox live. It’s one of the best I have ever played.
I never understood how anyone can play tower defense games with those crap console controllers.
I can place six items with my G9X mouse before I can get just one into place with those analog sticks.
Hand and fingertip movement is always going to be more precise than thumb angle.
Ah pc gaming elitism, my friend is still going through that stage.
Maybe you should try the game before trashing it. It isn’t a point-n-click game converted to the console. It’s designed around the controller and far more challenging than any of the recent pc tower defense games.
Edited 2010-12-05 02:44 UTC
It’s nice that they care about security but when are they going to fix accessibility? That’s the biggest problem with flash right now in my opinion. Webkit has a lot of accessibility issues as well BTW. They don’t seem to care about it.
I would really like Sandboxing to become a feature of MSE or maybe even windows itself.
Windows can be secure as hell but for other software we install on it.
Let’s just hope Microsoft don^aEURTMt get sued if MSE gets to many bells and whistles:-(
Kaspersky Internet Security for example (And maybe other AV companies as well) list all your application, from where you can sandbox them or give them varying amounts of networking privileges.
Kaspersky also do a vulnerability scan and compile a list of applications that is unpatched or insecure.
With MSE you can use Secunia’s free home edition to do this job, but it would have been nice in MSE as well.
Edited 2010-12-02 18:22 UTC
Update
After my post I searched if Sandboxing is a Windows feature.
Microsoft 7 Ultimate have an Sandboxing application in the form of “AppLocker”
http://www.microsoft.com/windows/enterprise/products/windows-7/feat…
I dont know if this extend to Browser plugins?
Flash will go away eventually. Google knows it and even Adobe knows it. But it will take time and Flash is still something that almost everyone will install either way, so why not try to make it as secure as possible?
I’m with Google on this one as I don’t think not including flash with Chrome would make any difference. And if they banned flash completely then no one would use the browser, because it’s just a browser, not a shiny cool iDevice.
Adobe has been preparing for flash to lose foothold for quite some time now. In fact with CS5 they have shown that they have serious intentions on becoming the leading HTML5 authoring tool developer.
That’s where they make the money anyway.