The Google Chromebook is being delivered with an outdated version of the Adobe Flash Player.
According to Roel Schouwenberg, senior anti-virus researcher at Kaspersky Lab, his ‘fully updated Chromebook is running an outdated version of Flash and there's no way to update it'. To ensure this was not an error, he had triple-checked the system.
He said: “Google claims Chromebooks are so secure they don't need anti-malware. Such a statement obviously got me interested in the system's defences. This doesn't bode well for Google's security boast. ChromeOS is supposed to be all about being able to trust Google to take care of security for you.
“Google has gone through great lengths to secure ChromeOS itself, but security doesn't stop there. A platform needs to be properly managed if it intends on being and staying secure.
“With ChromeOS/Chromebook there are no excuses, especially when Chrome has been receiving updates for Flash early. Google will need to step up if it wants to turn ChromeOS into a successful platform.”
Informing Google of the issue, Schouwenberg said that it responded by saying that it's ChromeOS is running a special version of Flash that has all relevant security patches.
He said: “Adobe got back to me today saying that Flash Player version 10.2.158.27 is the latest version of Flash for Chromebooks. This patch was pushed out yesterday after my blog post went live.
“Currently we don't know what's fixed with the latest build. Some sources are claiming at version 10.2.158.26 already contained all the security fixes. We're waiting for final confirmation from Adobe on this matter. This brings us to another question though - Why is ChromeOS being updated in the Flash 10.2 branch? Going by Adobe's own documentation 10.2.x.x should still contain certain unpatched vulnerabilities.”
He said that the answer is ‘Pepper Flash', a custom version of Flash which is the default Flash renderer in ChromeOS. “As I said, we're still awaiting final word from either Adobe or Google with regards to the security status of Pepper Flash 10.2.158.26,” he said.
“Either way, now that Chromebooks have officially hit the market, better documentation is needed. With Adobe Flash being a very high-profile target, consumers should be able to easily figure out if they're running the latest version or not.”
An update revealed that Google informed Kaspersky Lab that Pepper Flash 10.2.158.26 did include all relevant security updates.