Flash Player is finally sandboxed in Safari on Mavericks, says Adobe

OS X Mavericks (logo, full size)

Yours truly long stopped using the standalone Flash Player so you could imagine I’m fairly puzzled that folks to this date continue to rely on Adobe’s plug-in. I know, if you’re into Flash games/apps and other Flash-authored content, there’s no escaping Adobe’s multimedia run-time.

Among the reasons I keep Flash miles away from my Macs: the instability, resource hoginess and excessive proneness to malware and other types of vulnerabilities and malicious attacks.

With this week’s release of Safari in OS X Mavericks, the Flash Player will now be protected by a new operating system feature called App Sandbox, Adobe announced Thursday…

Adobe Platform Security Strategist Peleus Uhley said in a blog post his company has “worked with Apple to protect Safari users on OS X”.

Safari users on OS X Mavericks can view Flash Player content while benefiting from these added security protections. We’d like to thank the Apple security team for working with us to deliver this solution.

App Sandboxing, as described by Apple, “provides a last line of defense against the theft, corruption, or deletion of user data if an attacker successfully exploits security holes in your app or the frameworks it is linked against”.

If you need more proof, Apple’s Mavericks features web page confirms that “Adobe Flash Player, Silverlight, QuickTime and Oracle Java plug-ins are sandboxed in Safari” on Mavericks.

Uhley details how Flash Player in Mavericks protects your from attacks:

For the technically minded, this means that there is a specific com.macromedia.Flash Player.plugin.sb file defining the security permissions for Flash Player when it runs within the sandboxed plugin process.

As you might expect, Flash Player’s capabilities to read and write files will be limited to only those locations it needs to function properly. The sandbox also limits Flash Player’s local connections to device resources and inter-process communication (IPC) channels.

Finally, the sandbox limits Flash Player’s networking privileges to prevent unnecessary connection capabilities.

And this from Apple’s Safari web page:

PDFs and widely used plug-ins like Adobe Flash Player, Silverlight, QuickTime and Oracle Java are sandboxed in Safari, which protects your system from harm should those plug-ins be exploited.

And in addition to blocking cookies, Safari enhances your privacy “by preventing third-party websites from leaving other types of data — such as plug-in, cache, and local storage data — that could be used to track you online,” Apple states.

Even better, you can dive deep into Safari’s settings and tell the browser to run only certain plug-ins on trusted websites, for an added piece of mind.

Safari on Mavericks (Settings, Security, Plug-ins 001)
Tell Safari which plug-ins are allowed to run on a per-website basis.

Mavericks also packs in some sophisticated power-saving technologies.

For example, Safari on Mavericks doesn’t waste resources by rendering content outside the focus of your browsing. And when web pages you visit contain plug-ins in their margins, Safari displays a preview of the plug-in content but waits until you click it before running it.

Safari on Mavericks (Settings, Security, Plug-ins 002)

As for myself, I couldn’t care less about Adobe’s announcement.

My Macs have and always will be Flash-free. Matter of fact, I removed every single piece of Adobe software from all of my computers three years ago and never looked back. And whenever I find myself in a situation that cries for Flash, I don’t install the system-wide Flash Player and instead fire up Chrome which has the Flash plug-in built-in.


Thanks, but no thanks – I use Pixelmator instead.


Aperture is my friend.

And so forth, and so forth…

Do you keep Flash plug-in installed on your system?

What about other Adobe software?