English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

New Chromebook, Old Flash Player

Roel
Kaspersky Lab Expert
Posted July 06, 19:37  GMT
Tags: Google, Adobe
0.3
 

This week my Samsung Chromebook finally arrived. My interest in this platform had been especially piqued after my colleague Costin Raiu's excellent analysis following the Chromebook's introduction.

Google claims Chromebooks are so secure they don't need anti-malware. Such a statement obviously got me interested in the system's defenses.

Imagine my surprise when I was confronted with the following:

My fully updated Chromebook is running an outdated version of Flash and there's no way to update it. To make sure this wasn't an error, I triple checked if the system was really up to date.

This doesn't bode well for Google's security boast. ChromeOS is supposed to be all about being able to trust Google to take care of security for you.

Google has gone through great lengths to secure ChromeOS itself, but security doesn't stop there. A platform needs to be properly managed if it intends on being and staying secure.

When it comes to managing the security aspect of the Android platform, Google is having some very serious problems. But Android is not marketed as being truly secure.

With ChromeOS/Chromebook there are no excuses, especially when Chrome has been receiving updates for Flash early. Google will need to step up if it wants to turn ChromeOS into a successful platform.

We've reached out to Google to inform them about this issue.

UPDATE: It turns out Google's ChromeOS is running a special version of Flash. This version of Flash did have all relevant security patches.


3 comments

Oldest first
Threaded view
 

lpine

2011 Jul 07, 00:59
0
 

Compatibility update

The Flash update you cite is a compatibility update, while it would be nice if you are running the latest version of Flash, according to Adobe there are no security changes between 26 and 34.

http://kb2.adobe.com/cps/901/cpsid_90194.html#main_10.3.181.34

Edited by lpine, 2011 Jul 07, 01:09

Reply    

Roel

2011 Jul 07, 01:35
1
 

RE: Compatibility update

The Chromebook is running 10.2.158.26, not 10.3.x.
So, per http://www.adobe.com/support/security/bulletins/apsb11-13.html the Chromebook is missing security updates.

Reply    

cbyrd01

2011 Jul 07, 02:14
0
 

Flash vulnerability

@Roel
ChromeOS has a bunch of additional security design decisions to reduce the impact from vulnerable code.

There are two vulnerabilities in Flash for Chrome between the two versions - one remote access and one universal XSS. There doesn't seem to be public exploit code for the universal XSS currently. However, there is public exploit code for CVE-2011-2110, including a Metasploit module.

It would be cool if you would try adapting the Metasploit module for Chrome on Linux and post if it's actually vulnerable.

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog