Chromium's "safe-plugins" switch

I was wondering about the effectiveness of using the safe-plugins switch with Chromium and how well, if at all, it mitigates exploits in plugins such as flash. For those who don't know, this switch enables Chromium to sandbox your plugins as well.

For example, Adobe has yet again issued an advisory for flash and reader.
http://www.adobe.com/support/security/advisories/apsa10-03.html

Any input?

Thanks

 

Google Chrome already bundles a specialized version of the Adobe Flash Player in Chrome 5+ that it automatically sandboxes. The --safe-plugin switch would be used to tell Chrome to sandbox the other 3-rd party plugins that you install on your computer.

I believe (but am not certain), that Chrome would stop this latest Flash Player bug from succeeding in touching things outside of it's sandbox since I haven't heard anything about a sandbox bypass.

Edit: You need to add the --safe-plugins switch to Chrome to force the bundled Flash Player into a sandbox. The sandbox is not on by default for the plugin. Therefore, Chrome is vulnerable by default. You can test to see if the Flash Player is sandboxed by going to a site like http://converticon.com/ and trying to open a system file through Flash. The sandboxed plugin will do nothing.

 

where is this safe-plugins switch located?

 

On a Google Chrome/Chromium shortcut on Windows:

[1] Right-click->properties
[2] In the target field, add --safe-plugins so it looks something like:

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --safe-plugins

[3] Replace your other Google Chrome shortcuts likewise (ie: the one pinned to your taskbar)
[4] Restart your browser

 

Re. the safe-plugin switch...

Any idea why running plugins sandboxed was not the default? Wouldn't that make more sense? Is it more CPU-intensive?

Does this step also take care of extensions or just the listed plugins?

 

Plugins are not sandboxed by default because it can break some of their functionality. For example, after forcing plugins into sandboxes, Flash can no longer upload files from your hard drive to say an online photo editor because the access is denied.

Regular Google Chrome extensions do not have native code plugins so the --safe-plugins switch does not affect them. Extensions that have NPAPI plugins like IE Tab would have their NPAPI plugins sandboxed after the switch is included.

 

Thanks for clearing that up!

 

Just wanted to add to this thread.

Chrome will automatically sandbox it's included flash plugin in upcoming releases. It should already do this in the latest Canary build.

http://src.chromium.org/viewvc/chrome?view=rev&revision=66022




On another note, I wanted to mention about Doritoes comment about the --safe-plugins switch not affecting extensions. I was playing with ProcessExplorer and enabled the Integrity status column.

As you can seen in my first screenshot, not including the main Chromium process, there are a few processes running with Medium integrity. Those three happen to be extensions. This is with safe-plugins disabled.

In the second screenshot, you can see that they are now all running with Low integrity. This is with safe-plugins enabled.

I guess that means regular extensions are affected? These particular extensions do not have NPAPI plugins. For example, one of these plugins was "Yet Another Drag and Go".


Either way, I thought this was interesting. I love the idea of my tabs, plugins, and extensions running with low integrity.


Back to the topic on sandboxed flash, I gave it a try with safe-plugins disabled and flash does indeed run with low integrity (i.e sandboxed)