Google's Chrome now silently auto-updates Flash Player

Will make surfing safer, says Adobe

Adobe's new partnership with Google will keep Internet users safer because Chrome will automatically update Flash Player without asking users, an Adobe director of engineering said.

On Tuesday, the two companies announced that Google would include Adobe's Flash Player in downloads of Chrome starting with the rough-around-the-edges builds of the browser's "dev" channel. Google will also employ Chrome's auto-updater to push Flash fixes to users without notifying them or asking them to approve the download.

The integration, particularly the automatic updating of Adobe's plug-in, is a first for a browser maker.

"If you want to have a safe experience, updates should just happen in the background," said Paul Betlem, senior director of Flash Player engineering.

Unlike other browsers, Chrome updates itself automatically in the background without asking for permission or prompting users that security fixes or new features are available. The practice, which Google debuted alongside Chrome in September 2008 , riled some users initially, but the criticism soon faded.

Other browsers, however, did not follow suit.

"Google uses a unique approach," Betlem said. "They don't ask users [for permission to update], they just do it. If you can appreciate that model, then it gives users a more secure experience. And Google recognizes that plug-ins are a part of that experience, and that they should be updated the same way."

Adobe will build customized binaries of Flash Player for Google to include with Chrome downloads; the browser will install the plug-ins as part of its own installation process. Adobe will also hand binaries of Flash updates -- both major upgrades and the more frequent security updates to patch vulnerabilities -- to Google, which will feed them into its update mechanism.

"It's another way of distributing updates," said Betlem, in addition to current methods that range from users manually downloading updates to Flash Player's built-in update notification. The latter is available only on Windows, however. Mac OS X users, for example, must either manually download and install an update or wait for Apple to update the operating system.

Betlem said Adobe has not approached other browser makers, such as Microsoft or Mozilla, to pitch the same deal to them. "But we would be open to talks if it makes sense," he said.

Keeping plug-ins, especially Flash, up to date, is not only a problem for many users but also important to ward off attackers. Adobe issued Flash patch updates five times in 2009, and twice so far this year .

In fact, when Mozilla introduced a tool last year that checks for outdated Firefox plug-ins , it started with Flash Player, citing statistics that said eight out of 10 users ran a vulnerable version.

Mozilla did not respond to a request for comment on the Chrome-Flash update strategy.

Google and Adobe are also talking about how to extend Chrome's sandbox defenses to Flash as another way to boost the plug-in's security. Chrome's sandboxing isolates processes from each other and the rest of the machine, preventing or hindering malicious code from escaping the browser to wreak havoc or infect the computer with malware.

"We haven't done a lot yet, but we are talking about whether it makes sense to segment both our processes into a single sandbox," Betlem said.

He would not put a timetable to sandboxing Flash. "But it's a high priority and top of our list," Betlem said. The nearest he came to confirming a schedule was when he said, "I hope it's sooner," when he was asked if an end-of-year deadline was likely.

The dev channel versions of Chrome for Windows, Mac OS X and Linux can be downloaded from Google's site.

Google plans to add Flash integration and auto-updating to the other Chrome channels -- "beta" and "stable" -- as quickly as it can, said Linus Upson, the company's vice president of engineering, in a blog post Tuesday.

Gregg Keizer covers Microsoft , security issues, Apple , Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about networking and internet in Computerworld's Networking and Internet Knowledge Center.

Copyright © 2010 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon