Flash safer in Chrome?

I read a review of Chrome
http://www.pcmag.com/article2/0,2817,2373860,00.asp
that implies that Google's implementation of Flash is safer because Flash is sandboxed and thereby limited in the damage that can be done. Any thoughts on how significant this is?

Thanks

 

What do you think?

 

I think I don't know enough about the inner workings of sandboxing, and about how malware works, to have a valid opinion. That's why I posted here, to get informed opinions.

 

Do you think it could be less safe? At least you can venture an opinion on that?

 

My question is "is it safer?". I think that says what I am interested in finding out.

 

Yes, it's safer. Google Chrome sandboxes Flash Player, making it more difficult for exploits against it to succeed. Not to mention that when a new Flash Player version comes out, you'll be automatically updated, because Google Chrome already comes with Flash Player. One less headache for many people.

 

That being said, I've yet to hear anyone state that "Chrome users are protected" when new Flash exploits are discovered, so I doubt it's doing much.

 

Chrome secures Flash in 3 ways:
1) They get developer preview versions of Flash before the release, which often contains patches before they've been released.
2) Chrome automatically updates Flash.
3) Chrome sandboxes Flash. It's been very effective with no exploits in the wild breaking through the sandbox.

If you run the PPAPI Flash (Pepper) it will run with Chrome's sandbox instead of the plugin sandbox. I think you can then run PPAPI flash in the renderer, which further restricts it to the renderer sandbox, which is very locked down. Not sure.

http://www.accuvant.com/sites/default/files/AccuvantBrowserSecCompar_FINAL.pdf
Page 67 starts with information on Google Chrome's plugin sandbox.

The Flash sandbox is not the Chrome sandbox:
http://www.theregister.co.uk/2011/05/09/google_chrome_pwned/
Here is an example of a security firm breaking the Flash Sandbox implemented by Chrome - it's never been seen in the wild.

 

Interesting that you bring Pepper into discussion. This isn't suppose to be part of Chromium, isn't it? I ask, because it's been lurking in my Chromium profile folder.

 

Yeah it's part of NaCli too I think.

 

IE9 and Firefox too.

 

Well, not exactly. That will come in 11.2 which will release soon.

 

@Funky, I think Firefox currently checks for updates each startup but it's handled by the browser. With 11.2 it'll be handled by Flash as well.

 

Okay, stupid question #1:

Is there a difference between *installed* versions of Chrome and portable versions with respect to Flash? The reason I ask is because I have the portable version of Chrome and it's showing 2 locations for Flash; the first is the "Chrome version" (...App\Chrome-bin\15.0.874.121\gcswf32.dll) and the second is the regular plugin for all other plugin-based browsers (...WINDOWS\system32\Macromed\Flash\NPSWF32.dll) and both show the identical version number (11.1.102.55).

Stupid question #2:

Does Chrome actually update its version of Flash *or* does Google release a new build of Chrome *each time* Flash is updated?

 

#1

If you have Flash plugin installed separately it might not be sandboxed - in fact I dont think it will be. Use the built in version to take advantage of the sandbox (in the chrome folder)

#2

It releases a new build of Chrome, however because they use prerelease versions they're usually ahead of the game anyways and don't need to update it every single time Flash updates.

 

I am in 11.2.202.121. It updated automatically from 11.2.202.95 in both browsers. These may be betas, but the function is already available and works well.

 

Thanks! I disabled the separately-installed Flash plugin that was appearing in Chrome.

That's sort of what I suspected - just curious as to why the "Chrome Flash plugin" had the same version number as the "all other browser Flash plugin".

 

Can anybody confirm that the built-in flash plugin is there in the 64 bit Chrome version for Windows? In the 64 bit Linux version it obviously is not.

 

How to tell if it's installed separately?
Best way is I don't recall doing it?

I see under chromelugins I see:

Flash - Version: 11,1,102,55
Shockwave Flash 11.1 r102

Is this the built in version?

 

I just installed chrome a few days ago, and I've not manually installled Flash. I see the same info. That seems to say it is the built in version.

 

If you open chrome://plugins/ and hit Details, you'll see what's the path of the plugin.