As Chromebooks hit the market, users may be needlessly vulnerable to Flash-based exploits, according to a Kaspersky Lab researcher.
A fully updated Samsung Chromebook was running an outdated version of Adobe Flash Player, Roel Schouwenberg, a senior antivirus researcher on Kaspersky Lab, posted on the Securelist blog July 6. After some digging around, he discovered that Chromebook’s Flash wasn’t really outdated, but that it was running a customized version of Flash Player from everyone else.
Chrombook had Flash Player 10.2.158.26 but Adobe had already pushed out 10.3.181.34. Schouwenberg discovered that Google is using Chrome Flash Player Pepper as the default Flash renderer in its Chromebooks and it was being maintained and updated separately from the regular Flash Player.
“Google has gone through great lengths to secure ChromeOS itself, but security doesn’t stop there,” Schouwenberg said. The platform needs to be properly managed in order to stay secure.
Considering that Adobe Flash is a “very high-profile target,” users need to be able to easily figure out whether they have the latest version of the software or not. If Chromebooks continue running Pepper, there needs to be more documentation and information available that will inform users what security issues patched on the main Player have also been addressed in Pepper, Schouwenberg said.