Flash Player is finally sandboxed in Safari on Mavericks, says Adobe

By , Oct 24, 2013

OS X Mavericks (logo, full size)

Yours truly long stopped using the standalone Flash Player so you could imagine I’m fairly puzzled that folks to this date continue to rely on Adobe’s plug-in. I know, if you’re into Flash games/apps and other Flash-authored content, there’s no escaping Adobe’s multimedia run-time.

Among the reasons I keep Flash miles away from my Macs: the instability, resource hoginess and excessive proneness to malware and other types of vulnerabilities and malicious attacks.

With this week’s release of Safari in OS X Mavericks, the Flash Player will now be protected by a new operating system feature called App Sandbox, Adobe announced Thursday…

Adobe Platform Security Strategist Peleus Uhley said in a blog post his company has “worked with Apple to protect Safari users on OS X”.

Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections. We’d like to thank the Apple security team for working with us to deliver this solution.

App Sandboxing, as described by Apple, “provides a last line of defense against the theft, corruption, or deletion of user data if an attacker successfully exploits security holes in your app or the frameworks it is linked against”.

If you need more proof, Apple’s Mavericks features web page confirms that “Adobe Flash Player, Silverlight, QuickTime and Oracle Java plug-ins are sandboxed in Safari” on Mavericks.

Uhley details how Flash Player in Mavericks protects your from attacks:

For the technically minded, this means that there is a specific com.macromedia.Flash Player.plugin.sb file defining the security permissions for Flash Player when it runs within the sandboxed plugin process.

As you might expect, Flash Player’s capabilities to read and write files will be limited to only those locations it needs to function properly. The sandbox also limits Flash Player’s local connections to device resources and inter-process communication (IPC) channels.

Finally, the sandbox limits Flash Player’s networking privileges to prevent unnecessary connection capabilities.

And this from Apple’s Safari web page:

PDFs and widely used plug-ins like Adobe Flash Player, Silverlight, QuickTime and Oracle Java are sandboxed in Safari, which protects your system from harm should those plug-ins be exploited.

And in addition to blocking cookies, Safari enhances your privacy “by preventing third-party websites from leaving other types of data — such as plug-in, cache, and local storage data — that could be used to track you online,” Apple states.

Even better, you can dive deep into Safari’s settings and tell the browser to run only certain plug-ins on trusted websites, for an added piece of mind.

Safari on Mavericks (Settings, Security, Plug-ins 001)
Tell Safari which plug-ins are allowed to run on a per-website basis.

Mavericks also packs in some sophisticated power-saving technologies.

For example, Safari on Mavericks doesn’t waste resources by rendering content outside the focus of your browsing. And when web pages you visit contain plug-ins in their margins, Safari displays a preview of the plug-in content but waits until you click it before running it.

Safari on Mavericks (Settings, Security, Plug-ins 002)

As for myself, I couldn’t care less about Adobe’s announcement.

My Macs have and always will be Flash-free. Matter of fact, I removed every single piece of Adobe software from all of my computers three years ago and never looked back. And whenever I find myself in a situation that cries for Flash, I don’t install the system-wide Flash Player and instead fire up Chrome which has the Flash plug-in built-in.

Photoshop?

Thanks, but no thanks – I use Pixelmator instead.

Lightroom?

Aperture is my friend.

And so forth, and so forth…

Do you keep Flash plug-in installed on your system?

What about other Adobe software?

  • Share:
  • Follow:
  • bigtalk

    why? i though flash was dead?

    • Nate McKelvie

      I thought the same thing. I do know lots of websites still use flash, but I believed that Adobe had pulled plugin on flash and were no longer creating new software or upgrades

      • Elias Chao

        As I know, Flash for mobile is dead, but for desktop they still updating it.

      • Nate McKelvie

        Oh ok good to know, I had been under the impression they canned it completely

  • jocastro

    Flash is a load of hop-pla

  • Jordan Dixon

    The only reason I use flash is because of video, like YouTube, BBC iPlayer, etc.

    • Rowan09

      YouTube to my understanding moves over to HTML 5 a while back.

      • JaeM1llz

        YouTube and the majority of popular video streaming services do indeed still use Flash(right-click a video in YouTube and you will see). You can opt in to HTML5 betas on sites like YouTube and Vimeo, or use a browser extension like HTML5ify, but most of the users are still using Flash.

  • ap3604

    Unless chrome is your main internet browser (which uses flash), it seems like a stupid idea not to have flash installed.

    I vastly prefer safari over chrome on my macbook air for the fact that it has gesture support + it’s less power hungry. I’d have to be an idiot to force myself to switch over to chrome every time I come across a page that had an embedded youtube video I wanted to see, especially with today’s sand-boxing announcement, instead of simply having flash installed and using the browser I prefer.

    • Carlos Gomes

      Safari on Windows is crappy, but on OSX… sweet lord, thank you!
      I just wish there were more browser plugins for it. A few times a week I have to rely on Chrome just because of that.

  • vs511

    Umm.. How do you watch YouTube videos?!

    • Carlos Gomes

      I believe that unless the video is really old and didn’t get converted, you can use HTML5 to play the videos with no problems at al

      • vs511

        Oh. I never even knew that was possible!

      • Ali David

        Not true at all. YouTube still uses Flash for their default settings and only have fully equipped HTML5 pages (video and modules) for beta testing.

      • Carlos Gomes

        What’s not true, then? I said that you could, not that it was the default setting…

  • Ishaan Malhotra

    Ios please!!

  • Ahmed

    I think Mavericks and Safari 7 have good control of Flash conents. So why bother to uninstall flash? It is better to use it on Safari instead of switching every time to chrome. Also, YT html5 player really sucks! you can’t move to a specific part of long videos without replaying the video from the beginning!

    • Falk M.

      Youtube in HTML 5 is absolutely horrible.
      I’m not a fan of flash and use Youtube A LOT every day, but I’m sticking to Flash because as ironic as it sounds: the experience is much better.

      (still shitty, but that’s partly Adobe’s / partly Google’s fault… *cough* buffering settings set by Youtube *cough*)

      • xSeriouSx

        Sounds like you’ve never heard of YouTube Center for Chrome…

      • Falk M.

        Indeed true, but why add just another plugin? I need Flash for other things as well, so in the end I have Flash and something else or not.

        Also, I use Safari, Chrome is just my secondary browser and it’ll stay that way ^^

  • Ali David

    Sarafi running a simple HTML5 website needs more resource than Chrome (with built in Flash) lol. You have no idea what you’re talking about.

    • Gaurav Rane

      Agreed.

  • disqus_gJy6FYV58g

    I had to buy Illustrator after being Adobe free for about a decade. I view it as a necessary evil. I would love to be free of Adobe’s Malware (and by that I mean their backward file system requirements and horrid install processes that fail more than they succeed), and their terrible treatment of paying customers. Adobe CSRs give bad advice (“make the /Library directory world writable”) and refuse to answer direct questions (“What files does it need write access to in the Library?” “I can’t tell you.”).

    But there is no App with the polish & clean .eps/.pdf output like Illustrator. There are other vector drawing apps out there, but once you take one
    of the generated eps or pdf files to a service bureau and you see the garbage output, you see why Adobe Illustrator is the only game in town.

    Also, none of the other apps can enable saving pdf form data like Acrobat Pro — currently all pdf “pro” apps that deal with forms only allow creation, but do not enable the ability for an end-user without acrobat to save data input into form fields (and most are slow and unstable). This means end-users have to print & scan or fax the output of PDF forms, which is pretty stupid when all you want is the few bytes of text they enter.

  • http://www.sohrob.com Sohrob Tahmasebi

    Had no idea you could run Flash within Chrome for Mac. Awesome! Now I can safely uninstall Flash once and for all.

  • uberfu

    Pixelmator is a sad excuse for what Photoshop is capable of. It works fine for those folks that need some basic photo editing capabilities with little skill.