Feeds

Google updates Chrome Flash plugin for security, stability

Says it runs Flash content in Windows 8 better than IE10

Combat fraud and increase customer satisfaction

Just when you thought Adobe Flash was close to dying out on the web, none other than Google has stepped in to give the much-maligned rich media plugin a new coat of polish.

The latest stable version of the online ad-slinger's Chrome browser for Windows includes a redesigned version of the Flash plugin that Google reps say will not only make Flash content more stable and secure, but will allow Chrome to offer the best Flash user experience when browsing in whatever we're calling Windows 8's Metro mode now.

The new plugin ditches the ancient Netscape Plugin API (NPAPI) that web browsers have been using since Raquel Welch fought the dinosaurs, in favour of Google's home-grown Pepper Plugin API (PPAPI), which the search giant says offers improved security by isolating plugins inside their own protected "sandboxes" of memory.

"Windows Flash is now inside a sandbox that's as strong as Chrome's native sandbox, and dramatically more robust than anything else available," Google software engineer Justin Schuh writes in a blog post detailing the change.

In addition, he says, the move to PPAPI has made the Flash plugin more stable and allows it to take advantage of more of the advanced capabilities of modern browsers, such as Chrome.

"By eliminating the complexity and legacy code associated with NPAPI, we've reduced Flash crashes by about 20 per cent," Schuh writes. "We can also composite Flash content on the GPU, allowing faster rendering and smooth scrolling (with more improvements to come)."

Schuh says NPAPI was designed at a time when browser plugins were evolving rapidly to provide a wide range of capabilities. Because of this, NPAPI is a thin API that gives plugins lots of access to underlying OS features. But that flexibility also makes it insecure, which is why NPAPI plugins have been banned from the Windows 8 Start Menu environment, formerly known as Metro.

PPAPI doesn't allow plugins anywhere near the level of unfettered access to system resources that NPAPI does, which is why PPAPI plugins – including the new Flash plugin – will be able to run inside the Metro-style version of Chrome.

Contrary to early reports, Flash content will be viewable in the Metro-style version of Internet Explorer 10, but only if it meets Microsoft's compatibility guidelines. In addition to constraining the design of Flash content, those guidelines also exclude certain Flash APIs, including access to cameras, microphones, and printing.

Because of this, Schuh says, the Metro version of Chrome will be "the only way to use all Flash features on any site in Windows 8 Metro mode."

That excludes Firefox, too. Although Mozilla developers having been working on a similar plugin sandboxing feature, they say they are "not interested in or working on Pepper at this time," meaning Firefox won't be able to share Google's PPAPI Flash plugin.

Chrome updates are installed automatically and the Flash plugin comes bundled with the browser, so all current Chrome users on Windows should already have the new version of the plugin installed. Linux users have actually had it since the previous stable version of Chrome, and Schuh says a Max OS X version is coming. ®

Bootnote

Oh, and about those rumors of Flash's death? Mark Twain might have had something to say about them. According to a blog post by Google software engineer Carlos Pizano, when the online ad-slinger analyzed data from Chrome users, fully 99.9 per cent had fired up the Flash plugin at least once in the past 28 days.

By comparison, only 58 per cent had used Chrome's PDF viewer, 26 per cent had used Microsoft's Silverlight plugin, 12 per cent had used Java, and just 4 per cent had used Apple QuickTime.

SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.