The newly launched Safari 5.1 features sandboxing technology which promises to protect Mac OS X Lion users from web-based exploits that might try to infect them with malware.
In computer programming, sandboxing refers to the practice of isolating a process by placing in into a restricted environment. A sandboxed process usually communicates with the system through a broker.
For developers it's much easier to make sure that a small brokering process is vulnerability-free than the hundreds of thousands of lines of code found in a browser's layout engine.
Safari becomes the second browser after Chrome to feature sandboxing, although unlike Chrome, Safari 5.1 is only sandboxed on the new Mac OS X Lion.
That's because Safari's sandbox relies on the sandboxing technology built into Apple's new operating system. Mac OS X has had a kernel-level sandbox for its core processes since Leopard, but this has been greatly enhanced and extended in Lion.
App developers can now easily sandbox their creations to mitigate the risks of vulnerabilities. The new Mac OS X version also adds privilege separation, where an application can open a separate process for each individual component that need a particular priviledge.
"Sandboxing is a security feature that helps prevent websites from tampering with your computer. All the web content and applications you use in Safari on Lion are sandboxed, so websites can’t use exploits to access your system
," Apple says in its Safari 5.1 announcement
"If a website contains malicious code intended to capture personal data or take control of your computer, sandboxing automatically blocks it to keep your computer and your information safe
," it explains.
Even though it is only limited to Mac OS X Lion, the Safari sandbox is a great security enhancement and outlines a trend of adopting such measures in order to make it harder for attackers to exploit vulnerabilities.
Another popular application that has been sandboxed, even if only on Windows, is Adobe Reader. Adobe's popular PDF client features the technology since version X (10.0).