Here's how to allow Chrome to run outdated plugins all the time (without warnings): You can disable this feature by adding the command line flag --allow-outdated-plugins.
Note: Chrome doesn't force you to use eg Adobe Reader X. Adobe Reader 8 and 9 are supported too, but they need to have all their security updates. Currently, that means Reader 8.2.6 or 9.4.2. If you have eg 9.4.1, you can update to 9.4.2 via Adobe Reader -> Check for updates.
In Windows:
Right click on your "Chrome" icon.
Choose properties
At the end of your target line, place these parameters: --allow-outdated-plugins
It should look like: chrome.exe --allow-outdated-plugins
As we previously mentioned, we believe that some of the most significant opportunities to increase user security revolve around plugins. We’ve made a number of improvements in this area, including actively encouraging users to update their plug-ins to the most secure version. Chrome now detects when a plug-in is out of date and blocks it with a simple infobar. This infobar helps guide the user towards updating their plug-in with the latest security fixes.
I'm glad to have contributed to the implementation of this feature -- a number of core Chrome engineers helped make it a reality. As for the secbrowsing extension, you don't need to, but you can keep it installed. It will continue to let you know when one of your plugins is out of date, even if you are not using it (In Chrome, the warning only appears when a website you visit requires one of your plugins that is out of date). This might be helpful for example if you use other browsers alongside Chrome, which don't prevent your from using out-of-date plugins.
As of yesterday, SecBrowsing was updated to point to version 12.0.1.633 of the RealPlayer plug-in for Windows, which is the latest version released by Real and addresses a security issue in Windows.
As of yesterday, SecBrowsing was updated to point to version 12.0.1.609 of the RealPlayer plug-in, which is the latest version released by Real and addresses security issues in many platforms.
I've verified this is the version reported by Real Player on Windows XP and Vista. If you happen to have RealPlayer Enterprise or Mac RealPlayer or Linux RealPlayer, and you are at the latest version, please let me know what version SecBrowsing detects for you, if any.
On Dec 1, 2010, Google developers Justin Schuh and Carlos Pizano announced the release of the first iteration of the security sandbox for the Adobe Flash plugin in Google Chrome (for Windows). It's currently on the dev-channel of Chrome, which is an unstable build targeted at users who like to browse on the edge.
How the security sandbox works
One of the basic concepts that the operating system provides is that of a process. A process has its own piece of memory, and is a concept quite familiar even to end users. On Windows, hitting Ctrl-Alt-Delete lists (some of) the running processes of the system at any time, and lets you "kill" a process that you think is misbehaving. Bugs and crashes in one process do not (usually) affect other processes.
Chrome uses multiple process: One for the browser (networking, cache, cookies, bookmarks, sync, among others), one per website renderer (HTML, JS, CSS parsing, javascript execution, actual rendering of the page in the screen), and one per plug-in such as Java and Flash.
Multiple processes in Chrome. 1 for the browser, 1 for Flash, and 1 per tab.
The immediate impact is that a crash or a slowdown in the renderer does not slow down the other renderers, or the main browser. In addition, one can use this to enhance a browser's security by asking the operating systems to restrict a process' access to the machine's resources.
For example, the tab renderer processes are not allowed to read or write to the disk or network of the computer. They may only talk to the browser process to request resources (images, html etc).
Traditionally, browser plugins were not restricted to what they can access on a computer. In fact, the reason plugins were adopted is because they provide access to resources the browser does not typically provide, such as video rendering or access to the webcam or raw network access. So, most plugins need to access the filesystem and the network, which makes them a security concern. Many plugins come with many security vulnerabilities, and taking over a plugin that has unrestricted access to the disk and network means one can easily force it to download and store malware on the machine.
This is exactly what the plugin sandbox tries to stop. I'm looking forward to the release of the Flash sandbox in the stable version, in all operating systems, and in other browsers such as Firefox.
Update: Google released a nice video that explains the sandbox as well as the importance of updating the plugins:
If your Flash version in Chrome is out-of-date, one of a few things could be happening:
You have not restarted Chrome in a while. If you just restart, you should get the latest version.
You are on the beta or the developer channel. If you don't know what this is, you are probably not on them. If you are, please wait a few days. Chrome will ask you to update itself. Sometimes Flash for dev channel is released a few days later than stable.
You are not using the bundled Flash plugin that ships with Chrome. Type "about:plugins" and then "Details" on the top-right. Find the Flash files you use, and enable the bundled Flash, which is typically the most up-to-date.
If you also use Flash in Firefox or Safari, use one of these browsers and get the latest version at http://get.adobe.com/flashplayer/.
A new version of Shockwave for Director was released today, with critical security fixes. SecBrowsing was just updated to point to the latest secure version, 11.5.9.615.
SecBrowsing was just updated to point to Adobe Reader 9.4.0, which was released a couple of days ago, and is available at http://get.adobe.com/reader/.
Many security vulnerabilities were fixed. The advisory from Adobe is available here: http://goo.gl/RCiD.
On Sep 20, 2010, Adobe released Flash Player version 10.1.85, with critical security fixes for all platforms.
SecBrowsing has been warning users since. Note that Chrome auto-updates the bundled Flash plugin automatically, all you have to do is restart it.
The release notes are here: http://support.apple.com/kb/HT4339. This release fixes a couple of vulnerabilities (CVE-2010-1818 and CVE-2010-1819), at least one of which was seen being exploited for a few days.
