Adobe's new partnership with Google will keep Internet users safer because Chrome will automatically update Flash Player without first asking users, an Adobe director of engineering said.
On Tuesday, the two companies announced that Google will include Adobe's Flash Player in downloads of Chrome, starting with the rough-around-the-edges builds of the browser's "dev" channel. Google will also employ Chrome's auto-updater to push Flash fixes to users without notifying them or asking them to approve the download.
The integration, particularly the automatic updating of Adobe's plug-in, is a first for a browser maker.
"If you want to have a safe experience, updates should just happen in the background," said Paul Betlem, senior director of Flash Player engineering at Adobe.
Unlike other browsers, Chrome updates itself automatically in the background without asking for permission or prompting users when security fixes or new features are available. The practice, which Google debuted alongside Chrome in September 2008, riled some users initially, but the criticism soon faded.
Other browsers, however, did not follow suit.
"Google uses a unique approach," Betlem said. "They don't ask users [for permission to update], they just do it. If you can appreciate that model, then it gives users a more secure experience. And Google recognizes that plug-ins are a part of that experience, and that they should be updated the same way."
Adobe will build customized binaries of Flash Player for Google to include with Chrome downloads; the browser will install the plug-ins as part of its own installation process. Adobe will also hand binaries of Flash updates -- major upgrades as well as the more frequent security updates to patch vulnerabilities -- to Google, which will feed them into its update mechanism.
"It's another way of distributing updates," in addition to current methods, which include Flash Player's built-in update notification and users' ability to manually download updates, said Betlem. The former is available only on Windows, however. Mac OS X users, for example, must either manually download and install an update or wait for Apple to update the operating system.
Betlem said Adobe has not approached other browser makers, such as Microsoft or Mozilla, to pitch the same deal to them. "But we would be open to talks if it makes sense," he said.
Keeping plug-ins, especially Flash, up to date is not only a problem for many users, but also important in warding off attackers. Adobe issued Flash patch updates five times in 2009 and has done so twice so far this year.
In fact, when Mozilla introduced a tool last year that checks for outdated Firefox plug-ins, it started with Flash Player, citing statistics that said eight out of 10 users were running a vulnerable version.
Mozilla did not respond to a request for comment on the Chrome-Flash update strategy.
Google and Adobe are also talking about how to extend Chrome's sandbox defenses to Flash as another way to boost the plug-in's security. Chrome's sandboxing isolates processes from each other and the rest of the machine, preventing or hindering malicious code from escaping the browser to wreak havoc or infect the computer with malware.
"We haven't done a lot yet, but we are talking about whether it makes sense to segment both our processes into a single sandbox," Betlem said.
He would not put a timetable to sandboxing Flash. "But it's a high priority and top of our list," Betlem said. The nearest he came to confirming a schedule was when he said, "I hope it's sooner," when he was asked if an end-of-year deadline was likely.
Google plans to add Flash integration and auto-updating to the other Chrome channels -- "beta" and "stable" -- as quickly as it can, said Linus Upson, the company's vice president of engineering, in a blog post Tuesday.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.