An information security researcher has developed a way to bypass one façade of the sandbox designed by Adobe (NASDAQ: ADBE) to protect the underlying operating system. In this instance, Microsoft (NASDAQ: MSFT) researcher Billy Rios was able to transmit local data read by a Flash applet over the network. And the attack vector isn't rocket science either, involving nothing more than the use of a protocol handler to pass the data to a remote server.

In a blog post detailing his findings, Rios described how the file:// request is the simplest way to bypass the sandbox of a SWF loaded from the local file system. At the heart of the problem was how Adobe has decided to prevent network access via the use of blacklists to block specific protocol handlers. This is a flawed approach, and as Rios wrote, "If we can find a protocol handler that hasn't been blacklisted by Adobe and allows for network communication, we win."

To be sure, the issue affects only local Flash files that have to be manually launched by the user. As such, Adobe has classified the issue as "moderate," and says that it will be addressed in a future version of Adobe Flash Player. If anything, this is a somber reminder that sandboxes aren't necessarily foolproof.

For more on this story:
- check out this article at eWeek
- check out this article at InfoSecurity
- check out this article at ITProPortal

Related Articles:
Adobe warns: Critical Flash flaw under active attack
Researcher: Adobe patch does not fully resolve critical vulnerability
Adobe warns vulnerability could crash systems
Adobe apologizes for 16-month-old Flash bug
Adobe ranks second on buggiest software list