Google Chrome developers, with help from Adobe, improved the sandboxing of the browser’s Flash plugin.
To enable the improved sandboxing, the developers ported the Flash player plugin from the older Netscape Plugin API (NPAPI) to Google’s Pepper Plugin API (PPAPI) architecture, which they developed especially to allow the implementation of advanced features such as sandboxing and hardware graphics acceleration. These improvements are now defaults in the Windows version of the browser.
Porting the plugin to the Pepper API from the older NPAPI architecture enabled developers to make the changes to improve the sandboxing of the Flash plugin, officials said in a post on the official Chromium blog. The capabilities of NPAPI reached a point that “hamstrung future improvements.” Using the Pepper API, the Flash plugin has similar protection to tabs and plugins isolated using Chrome’s native sandbox.
Google says that this protection is “dramatically more robust than anything else available,” especially as Flash does not implement Address Space Layout Randomization (ASLR). Google said since the stable Chrome update, all Windows users, including those using Windows XP, now benefit from the new capabilities.
The Linux version of Chrome with bundled Flash has been using the new API since the release of Chrome 20 and support for Mac OS X will “ship soon”, Google said.