Sunday, August 22, 2010

Chrome's bundled Flash results in much faster update

Chrome's bundling of Flash resulted in a dramatic drop of out-of-date users after the latest update, according to our stats.

On Aug 10, 2010, Adobe released a security update for Flash. On the same day, Chrome shipped the security update to the bundled Flash plugin as well. SecBrowsing started warning about the new version of Flash, as well as the new version of the Quicktime plugin (7.6.7) on Aug 13, 2010.

We compared the number of users with up-to-date Flash, as well as the traffic to our site around the past two releases of Flash (10.1.82 on Aug 10 and 10.1.53 on June 10), and the difference is significant in both cases.

Visitors with out-of-date Flash


Graph 1: Percentage of users running out-of-date Flash on the last two security releases. For the latest release, within 2 days, fewer than 30% of Chrome users were running an out-of-date Flash.  In comparison, it took 14 days for this to happen in the previous release.

Total visitors

This method is less accurate, because many visitors came to the site because of either Flash or Quicktime (see below)  -- but the results are still significantly different than before. 



Graph 2: The relative traffic to our site around the two releases of Flash. For the first release (of 10.5.53), it took 16 days for traffic to come down to within 25% of normal, but for the latest one (of 10.1.82), only 6 days. This would have been even lower if there wasn't an update for Quicktime about on the same day (about 40% of Chrome users also have Quicktime installed).  


Notes

We track visits to http://secbrowsing.appspot.com/. 98% of the website's traffic is "direct", i.e. from users of the SecBrowsing extension (when the extension shows a warning, users click on the "red plugin" which brings them to the website). Neither the website nor the extension track the visitors' plugins, with the exception of Flash, which is tracked by Google Analytics by default. (tip: you can try to reproduce Graph 1 on your site, if you use Google Analytics).

The traffic to the site is very steady, except when a new plugin version is released. About 50% of visitors are new and 50% are returning, and this ratio has remained stable since the beginning of 2010.



Disclaimer
I work on Google's Security team -- the views expressed on this blog are personal. 
Posted by