Researcher breaks Adobe Flash sandbox security feature


Researcher breaks Adobe Flash sandbox security feature

Robert Westervelt, News Director

Engineers at Adobe Systems Inc. are classifying a new hacking method that breaks a Flash sandbox security feature as a "moderate" security threat.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Safe Harbor

If we can find a protocol handler that hasn't been blacklisted by Adobe and allows for network communication, we win.

Billy Rios
security researcher

New research made public by application security researcher Billy Rios this week demonstrates how an attacker could bypass Adobe's local sandbox security feature, which prevents Flash files loaded from the local file system from passing data to remote systems.

The feature, according to Adobe, ensures privacy by blocking local data from being leaked out to the network. In addition, the security feature prevents local file system SWF Flash files from calling an HTTP or HTTPS request.

In a blog entry explaining the Flash local with filesystem sandbox bypass method, Rios said it is relatively easy to bypass the sandboxing security feature. His method could allow an attacker to transmit data to a server without the victim getting any indication of the data transfer.

"In the case of the local-with-filesystem sandbox, Adobe has decided to prevent network access through the use of protocol handler blacklists," Rios wrote. "If we can find a protocol handler that hasn't been blacklisted by Adobe and allows for network communication, we win."

An Adobe spokesperson told that engineers determined several factors need to fall into place for an attacker to successfully bypass the security feature. SWF files are rarely run locally and generally they are loaded in a browser plug-in.

"An attacker would first need to gain access to the user's system to place a malicious SWF file in a directory on the local machine before being able to trick the user into launching an application that can run the SWF file natively," the spokesperson said. "In the majority of use scenarios, the malicious SWF file could not simply be launched by double-clicking on it; the user would have to manually open the file from within the application itself."

Rios said the method relies on Adobe's use of protocol handler blacklists, which prevent the protocol handler from transmitting and receiving data. A simple method can bypass most protocol blacklists.

"It's basically impossible to create a list of "bad" protocol handlers in a situation like this," Rios wrote.

Apple, Google, Microsoft and other software vendors create a sandbox around some applications to try to isolate the application from certain critical operating system files and network protocols. As part of an initiative to improve security, Adobe's engineering team has been working on sandboxing and recently released Adobe Reader X, which uses the feature. In December Adobe released a sandboxed Flash plugin for Google's Chrome browser.