Flash safer in Chrome?

Discussion in 'other security issues & news' started by vincenzo, Dec 13, 2011.

Thread Status:
Not open for further replies.
  1. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    I read a review of Chrome
    http://www.pcmag.com/article2/0,2817,2373860,00.asp
    that implies that Google's implementation of Flash is safer because Flash is sandboxed and thereby limited in the damage that can be done. Any thoughts on how significant this is?

    Thanks
     
  2. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    What do you think?
     
  3. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    I think I don't know enough about the inner workings of sandboxing, and about how malware works, to have a valid opinion. That's why I posted here, to get informed opinions.
     
  4. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Do you think it could be less safe? At least you can venture an opinion on that?
     
  5. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    My question is "is it safer?". I think that says what I am interested in finding out.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, it's safer. Google Chrome sandboxes Flash Player, making it more difficult for exploits against it to succeed. Not to mention that when a new Flash Player version comes out, you'll be automatically updated, because Google Chrome already comes with Flash Player. One less headache for many people.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    That being said, I've yet to hear anyone state that "Chrome users are protected" when new Flash exploits are discovered, so I doubt it's doing much.
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Chrome secures Flash in 3 ways:
    1) They get developer preview versions of Flash before the release, which often contains patches before they've been released.
    2) Chrome automatically updates Flash.
    3) Chrome sandboxes Flash. It's been very effective with no exploits in the wild breaking through the sandbox.

    If you run the PPAPI Flash (Pepper) it will run with Chrome's sandbox instead of the plugin sandbox. I think you can then run PPAPI flash in the renderer, which further restricts it to the renderer sandbox, which is very locked down. Not sure.

    http://www.accuvant.com/sites/default/files/AccuvantBrowserSecCompar_FINAL.pdf
    Page 67 starts with information on Google Chrome's plugin sandbox.

    The Flash sandbox is not the Chrome sandbox:
    http://www.theregister.co.uk/2011/05/09/google_chrome_pwned/
    Here is an example of a security firm breaking the Flash Sandbox implemented by Chrome - it's never been seen in the wild.
     
    Last edited: Dec 13, 2011
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Interesting that you bring Pepper into discussion. This isn't suppose to be part of Chromium, isn't it? o_O I ask, because it's been lurking in my Chromium profile folder. :D
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah it's part of NaCli too I think.
     
  11. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,278
    IE9 and Firefox too.
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,851
    Well, not exactly. That will come in 11.2 which will release soon.
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @Funky, I think Firefox currently checks for updates each startup but it's handled by the browser. With 11.2 it'll be handled by Flash as well.
     
  14. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Okay, stupid question #1:

    Is there a difference between *installed* versions of Chrome and portable versions with respect to Flash? The reason I ask is because I have the portable version of Chrome and it's showing 2 locations for Flash; the first is the "Chrome version" (...App\Chrome-bin\15.0.874.121\gcswf32.dll) and the second is the regular plugin for all other plugin-based browsers (...WINDOWS\system32\Macromed\Flash\NPSWF32.dll) and both show the identical version number (11.1.102.55).


    Stupid question #2:

    Does Chrome actually update its version of Flash *or* does Google release a new build of Chrome *each time* Flash is updated?
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    #1

    If you have Flash plugin installed separately it might not be sandboxed - in fact I dont think it will be. Use the built in version to take advantage of the sandbox (in the chrome folder)

    #2

    It releases a new build of Chrome, however because they use prerelease versions they're usually ahead of the game anyways and don't need to update it every single time Flash updates.
     
  16. Robin A.

    Robin A. Registered Member

    Joined:
    Feb 25, 2006
    Posts:
    2,278
    I am in 11.2.202.121. It updated automatically from 11.2.202.95 in both browsers. These may be betas, but the function is already available and works well.
     
    Last edited: Dec 15, 2011
  17. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Thanks! I disabled the separately-installed Flash plugin that was appearing in Chrome.

    That's sort of what I suspected - just curious as to why the "Chrome Flash plugin" had the same version number as the "all other browser Flash plugin".
     
  18. tlu

    tlu Guest

    Can anybody confirm that the built-in flash plugin is there in the 64 bit Chrome version for Windows? In the 64 bit Linux version it obviously is not.
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    How to tell if it's installed separately?
    Best way is I don't recall doing it?

    I see under chrome:plugins I see:

    Flash - Version: 11,1,102,55
    Shockwave Flash 11.1 r102

    Is this the built in version?
     
  20. vincenzo

    vincenzo Registered Member

    Joined:
    Nov 28, 2005
    Posts:
    151
    I just installed chrome a few days ago, and I've not manually installled Flash. I see the same info. That seems to say it is the built in version.
     
  21. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If you open chrome://plugins/ and hit Details, you'll see what's the path of the plugin.
     
Loading...
Thread Status:
Not open for further replies.