Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Chrome -- Pepper Flash version on Windows

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
secdroid Chrome -- Pepper Flash version on Windows
Member 13th Sep, 2013 19:47
Ranking: 0
Posts: 3
User Since: 13th Sep, 2013
System Score: N/A
Location: US
Windows Vista Home Basic -- Google Chrome 29.0.1547.66 m -- getting a "should never happen" error with downlevel Flash. Flash version should always be correct because Chrome manages Pepper Flash automatically. PSI 3.0 does not detect this issue.

Chrome -- Flash info via "chrome://plugins" with details --

Adobe Flash Player (2 files) - Version: 11,8,800,97
Shockwave Flash 11.8 r800
Name: Shockwave Flash
Description: Shockwave Flash 11.8 r800
Version: 11,8,800,97
Location: C:\Program Files\Google\Chrome\Application\29.0.1547.66\Peppe rFlash\pepflashplayer.dll
Type: NPAPI
Disable
MIME types:
MIME type Description File extensions
application/x-shockwave-flash Adobe Flash movie
.swf
application/futuresplash FutureSplash movie
.spl
Name: Shockwave Flash
Description: Shockwave Flash 11.8 r800
Version: 11,8,800,168
Location: C:\Windows\system32\Macromed\Flash\NPSWF 32_11_8_800_168.dll
Type: NPAPI
Enable
MIME types:
MIME type Description File extensions
application/x-shockwave-flash Adobe Flash movie
.swf
application/futuresplash FutureSplash movie
.spl



mogs RE: Chrome -- Pepper Flash version on Windows
Expert Contributor 13th Sep, 2013 22:00
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Last edited on 13th Sep, 2013 22:01
@secdroid

I think if I've read your post right...what you're referring to is problem with Flash when you are using Chrome ?
That's the latest version of Stable Chrome and is reported as not vulnerable by psi.....if your programs are detected as patched and secure....no version of psi will be detecting anything else.
If you require more information displayed within psi regarding plug-ins....you'll need to change versions....to psi 2.0, which has a Secure Browsing feature....more specifically 2.0.0.3003 has the most complete SB feature.
Even then tho'....at the moment I'm using the same version Chrome 29....but whilst the SB feature shows it as being Safe for browsing.....the plug-in detail is minimal....

The following may be of interest to you....if not already aware of :
10/9/13 ( thereabouts)
http://googlechromereleases.blogspot.co.uk/
Flash Player Update
We are updating Flash Player to version 11.8.800.170 on Windows and Mac via our component update system (i.e. there will not be a Chrome update).

Release notes for the update can be found on Adobe's release notes page.

Anthony Laforge
Google Chrome


That update is already showing in my Canary platform 31.

Hope it's of help.....regards....mogs....

--
Was this reply relevant?
+0
-0
secdroid RE: Chrome -- Pepper Flash version on Windows
Member 13th Sep, 2013 22:24
Score: 0
Posts: 3
User Since: 13th Sep 2013
System Score: N/A
Location: US
Appreciate your thoughts.

Oddly enough, I upgraded from PSI 2.0 to 3.0 today. Neither 2.0 not 3.0 caught the fact that stable Windows Chrome did not correctly update Flash.

My criteria are based on the following two posts --
"Flash Player Update" -- http://googlechromereleases.blogspot.com/2013/09/f...

which said --
"We are updating Flash Player to version 11.8.800.170 on Windows and Mac via our component update system (i.e. there will not be a Chrome update)....

Release notes for the update can be found on Adobe's release notes page"

and Adobe said at -- "September 10th, 2013.

Welcome to Flash Player 11.8 and AIR 3.8. In today's release, we've updated Flash Player and the AIR runtime and SDK with multiple stability and security related fixes." and....

"Flash Player Desktop (Chrome) 11.8.800.170"

at http://helpx.adobe.com/en/flash-player/release-not...

So, in my case, Google Chrome, even with fresh installs, is sticking with a downlevel version of Adobe Flash. My IE and Firefox versions of Flash are updated correctly, as PSI 2.0 did note. However, neither PSI 2.0 and 3.0 caught the fact that Windows Chrome Pepper Flash was downlevel.

If I am mistaken in my understanding, please correct me.
Was this reply relevant?
+0
-0
mogs RE: Chrome -- Pepper Flash version on Windows
Expert Contributor 13th Sep, 2013 22:37
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@secroid.

That's fine....I wasn't reading it right.
I think the point is tho' that tho' it's not yet been updated in Chrome...Flash is not vulnerable. Psi is a vulnerability scanner not a general update checker.

Hope it helps....regards....

--
Was this reply relevant?
+0
-0
secdroid RE: Chrome -- Pepper Flash version on Windows
Member 13th Sep, 2013 23:03
Score: 0
Posts: 3
User Since: 13th Sep 2013
System Score: N/A
Location: US
Again, I appreciate your perceptive comments.

I don't have the links to hand, but IIRC, this is at least the second time that this has been an issue. Chrome performs updates, but the the Pepper Flash doesn't -- for some percentage of Windows users.

So, you are entirely correct -- Chrome is responsible for updating Pepper flash. Therefore, PSI merely needs to verify that Chrome has updated to the correct Chrome version -- as it has. If there is no "should never happen" Flash update error, PSI is doing the right thing. And yet, PSI is missing a Flash security exposure.

PSI is doing the "right" tests, but it is missing a problem that is affecting some percentage of Windows Chrome users. Flash is, in fact, downlevel. We all know that a downlevel Flash installation is a playground for malware.

In the best of all possible worlds, PSI would verify the version of the Pepper Flash, supposedly installed by either a Chrome version update, or *no* Chrome browser version update (i.e., a "silent" update) to be the correct Flash version, per published statements by Google and Adobe. (If you recall, the most recent Flash upgrade would not have changed the Chrome version number -- a "silent" upgrade.)

As it is, PSI is correctly tracking Chrome versions, but trusting that Google is managing Flash versions correctly. At least for some of us, Google is just
not updating Flash correctly.
Was this reply relevant?
+0
-0
Anthony Wells RE: Chrome -- Pepper Flash version on Windows
Expert Contributor 14th Sep, 2013 00:05
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

My Chrome Frame Stable version 29.0.1547.66 is tracked by my PSI 2.0.0.3003 (as a browser , actually) and which is still not updated and retains PPAPI Flash version ...800.97.

My Dev Channel browser 31.0.1626.5 has Pepper Flash updated to ...800.170 ; but as a non-stable version it is not tracked by the PSI .

AFAIK , PF version...800.97 is vulnerable and is potentially dangerous .

My PSI has never tracked the embedded Pepper Flash on my Chrome Frame . It does track and display my Flash NPAPI loaded for Firefox and available to Chrome and as also seen in "Settings" as in the OP ; I think this is the version also showing in the Chrome display in "Secure Browsing" .

You may wish to disable your Pepper Flash in "Settings" until it is updates ; your browser should pick up your NPAPI installation from it's win32 location

The PSI tends not to track "embedded" components such as Chrome's Pepper Flash as you , the user , are not able to update it yourself . quite a few people , myself included , consider this to be a rather poor state of affairs .

You can always mail support at support@secunia.com and ask whether they can/will track Pepper .

hope that is clear enuff' .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
mogs RE: Chrome -- Pepper Flash version on Windows
Expert Contributor 14th Sep, 2013 08:22
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@secdroid

As I use the Chrome Canary build 31 more; which is not monitored by psi either.....tho' it's often more advanced.....I still do what Anthony suggests, and disable Adobe if I get an inkling/suspicion of vulnerability.
I regularly run the often daily updated Canary thro' Qualys Browser Check
https://browsercheck.qualys.com/ That having been done and having gotten "Congratulatulations".....Anthony has still alerted me to possible weaknesses....

I think we should all time be mindful that psi is a free resource giving us additional intelligence to enable decisions. And Google has done a tremendous job in furthering browser security !!

Regards.....mogs.....

--
Was this reply relevant?
+0
-0
E.Jeppesen RE: Chrome -- Pepper Flash version on Windows
Secunia Official 16th Sep, 2013 11:54
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
If you wonder why a program (PepperFlash or any other program) is not detected by the PSI, you can always send us a software suggestion as described in the FAQ:
http://secunia.com/vulnerability_scanning/personal...
Make sure to include your email address so we can write back and let you know if the program has been added to our database or not. If the program is not added we will explain why.

Please note that when a program is bundled with another program it is usually considered a component of the main program and hence not added to our database as a separate program. So if Chrome bundles their own version of flash we will normally not detect the flash component. This is intentional and not a security concern because if the bundled flash component becomes vulnerable and can be exploited, then Chrome will be detected as vulnerable by the PSI once a patched version of Chrome is available.
Anthony Wells RE: Chrome -- Pepper Flash version on Windows
Expert Contributor 16th Sep, 2013 12:21
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Helllo Emil ,

In this case there is an added wrinkle in that it was decided to simply update PepperFlash without updating the Browser version ; a "Google" problem for "some" users has left "some" like myself without the update - mine is in Chrome Frame and does not give me a problem .

Only having the NPAPI and not including the PPAPI in "secure browsing" does not give the user a warning to consider their options/workarounds :eg: disable the Flash plug-in .

Will you be tracking the bundled IE10 Flash .ocx in Win8 ??

In view of the importance of Flash in security terms , I would suggest that , as an exception to your rules , both should be at least visible in "secure browsing" where the everlasting SA 47161 is still around . Seeing it and thereby it's version N # in "scan results" would be even better and detected the current problem .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
E.Jeppesen RE: Chrome -- Pepper Flash version on Windows
Secunia Official 16th Sep, 2013 12:36
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
@Anthony
Thank you for your comments and the points you are raising. As for your question regarding flash in IE10 I suggest you send us a software suggestion as described in my last post.
Maurice Joyce RE: Chrome -- Pepper Flash version on Windows
Handling Contributor 16th Sep, 2013 12:52
Score: 11615
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 16th Sep, 2013 12:52
Flash in Windows 8 has always been catered for & should be showing.

All my Endpoints on SMB are correct as can be seen here:

https://1ncuig.bn1.livefilestore.com/y2pU8IRxr0p9R...

I have never noticed any errors with displaying Flash in IE8.



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
Anthony Wells RE: Chrome -- Pepper Flash version on Windows
Expert Contributor 16th Sep, 2013 14:38
Score: 2428
Posts: 3,316
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

@Emil ,

As I am on XP SP3 , not much chance of me suggesting IE10 :))) I don't even have the ActiveX for IE8 , saves hassle .

Hopefully , someone with the Chrome Browser Stable version will suggest the PepperFlash ; perhaps you could comment here further , as and when .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability