Pepper Flash updates into %LocalAppData% even if Chrome is installed in %ProgramFiles%
Reported by
cr.hiest...@gmail.com,
Mar 21 2016
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36 Steps to reproduce the problem: 1. Install Chrome Enterprise (or standard) into %ProgramFiles% (all-user install) 2. Update Pepper Flash through chrome://components 3. Flash is updated in %LocalAppData%, not in the %ProgramFiles% location where Chrome EXE lives What is the expected behavior? Pepper Flash is updated where Chrome is installed, not in local user's appdata. What went wrong? When this update occurs, the Pepper Flash plugin is blocked by Software Restriction policies which do not allow execution within a user's local appdata. Chrome is installed for all users in %ProgramFiles% to avoid this issue and ensure executables outside of this area are blocked. Did this work before? No Chrome version: 49.0.2623.87 Channel: stable OS Version: 10.0 Flash Version: Shockwave Flash 21.0 r0 Flas Pepper updates that are not coupled with Chrome updates should still update the plugin within the %ProgramFiles% directory, or there should be a policy to prevent Pepper Flash from updating unless it is coupled with a Chrome update.
,
Mar 29 2016
Sorin, could you comment on whether it would be possible to change the Flash Pepper component updater to installation into different path?
,
Mar 31 2016
+wfh@ who I believe worked on making Pepper Flash correctly interoperate with the component updater in the scenario described in the bug (use the newer version of Flash from %LocalAppData% and %ProgramFiles%). My opinion is that it would be challenging at this time to update anything that requires elevation using the component updater. There is no silent elevator in Chrome that can give us the privilege to update component code in %ProgramFiles%. As a matter of principle, we always update everything that we ship and could be updated. I would not be in favor of allowing a programmatic way to do disable component updates for Pepper Flash. If needed, I could escalate this issue with chrome-security and other relevant groups. My concern is that it could be a significant security vulnerability if Chrome is allowed to load and activate an unpatched Flash component from %ProgramFiles%.
,
Mar 31 2016
,
Apr 5 2016
Please reopen and escalate if needed. We are not in favor of loading code that we can't update and there is no plan to silently update components that require elevation. |
||||
►
Sign in to add a comment |
||||
Comment 1 by bugdroid1@chromium.org
, Mar 21 2016