New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 596563 link

Starred by 2 users
Status: WontFix
Owner:
sorin@chromium.org
Closed: Apr 2016
Cc:
emaxx@chromium.org
wfh@chromium.org
dskaram@chromium.org
waff...@chromium.org
saswat@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug



Sign in to add a comment

Pepper Flash updates into %LocalAppData% even if Chrome is installed in %ProgramFiles%

Reported by cr.hiest...@gmail.com, Mar 21 2016 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

Steps to reproduce the problem:
1. Install Chrome Enterprise (or standard) into %ProgramFiles% (all-user install)
2. Update Pepper Flash through chrome://components
3. Flash is updated in %LocalAppData%, not in the %ProgramFiles% location where Chrome EXE lives

What is the expected behavior?
Pepper Flash is updated where Chrome is installed, not in local user's appdata.

What went wrong?
When this update occurs, the Pepper Flash plugin is blocked by Software Restriction policies which do not allow execution within a user's local appdata. Chrome is installed for all users in %ProgramFiles% to avoid this issue and ensure executables outside of this area are blocked. 

Did this work before? No 

Chrome version: 49.0.2623.87  Channel: stable
OS Version: 10.0
Flash Version: Shockwave Flash 21.0 r0

Flas Pepper updates that are not coupled with Chrome updates should still update the plugin within the %ProgramFiles% directory, or there should be a policy to prevent Pepper Flash from updating unless it is coupled with a Chrome update.
Project Member

Comment 1 by bugdroid1@chromium.org, Mar 21 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/autotest/+/0cdee012f6c051753483cd614a891977303e405c

commit 0cdee012f6c051753483cd614a891977303e405c
Author: Chung-yih Wang <cywang@google.com>
Date: Mon Mar 21 16:34:47 2016

Temporarily disable video_ChromeRTCHW{Decode|Encode}Used on veyron

The patch disables these two autotests on veyron_speed and veyron_minnie-cheets
temporarily before the issue got fixed.

BUG=chromium:595274
BUG= chromium:596563 
TEST=Lock DUT; test pass.

Change-Id: Ie7b2993ae43c596dd86d1bed909436bde2f8ffa2
Signed-off-by: Chung-yih Wang <cywang@google.com>
Reviewed-on: https://chromium-review.googlesource.com/334170
Reviewed-by: Aviv Keshet <akeshet@chromium.org>
Reviewed-by: Todd Broch <tbroch@chromium.org>
Tested-by: Todd Broch <tbroch@chromium.org>

[modify] https://crrev.com/0cdee012f6c051753483cd614a891977303e405c/client/site_tests/video_ChromeRTCHWDecodeUsed/video_ChromeRTCHWDecodeUsed.py
[modify] https://crrev.com/0cdee012f6c051753483cd614a891977303e405c/client/site_tests/video_ChromeRTCHWEncodeUsed/video_ChromeRTCHWEncodeUsed.py

Comment 2 by emaxx@chromium.org, Mar 29 2016

Cc: saswat@chromium.org dskaram@chromium.org emaxx@chromium.org
Owner: sorin@chromium.org
Sorin, could you comment on whether it would be possible to change the Flash Pepper component updater to installation into different path?

Comment 3 by sorin@chromium.org, Mar 31 2016 

+wfh@ who I believe worked on making Pepper Flash correctly interoperate with the component updater in the scenario described in the bug (use the newer version of Flash from %LocalAppData% and %ProgramFiles%). 

My opinion is that it would be challenging at this time to update anything that requires elevation using the component updater. There is no silent elevator in Chrome that can give us the privilege to update component code in %ProgramFiles%.

As a matter of principle, we always update everything that we ship and could be updated. I would not be in favor of allowing a programmatic way to do disable component updates for Pepper Flash. If needed, I could escalate this issue with chrome-security and other relevant groups. 

My concern is that it could be a significant security vulnerability if Chrome is allowed to load and activate an unpatched Flash component from %ProgramFiles%.

Comment 4 by sorin@chromium.org, Mar 31 2016

Cc: waff...@chromium.org wfh@chromium.org
Components: Internals>Installer>Components

Comment 5 by sorin@chromium.org, Apr 5 2016

Status: WontFix (was: Unconfirmed)
Please reopen and escalate if needed.
We are not in favor of loading code that we can't update and there is no plan to silently update components that require elevation.

Sign in to add a comment