Chrome 76 Dumps Default Adobe Flash Player Support | Threatpost

Google has launched the latest iteration of the Chrome browser for Windows, Mac and Linux, which blocks Adobe Flash Player default support and comes with more than 40 security fixes.

Though plans to deprecate Adobe Flash in Chrome have been brewing for years, Chrome 76 takes an official first step in turning off Flash Player by default, though users can still manually turn it on in their settings. The plans fit into Google’s previously announced road map, which has a goal of ultimately killing off Adobe Flash support in December 2020.

“In Chrome 76 and later, Flash Player is turned off by default,” according to Google. “Users can manually switch to ‘ask first before running Flash,’ without impacting policy settings that you set for Flash.”

Google is only the latest to take steps in pulling the plug on Flash support, following Adobe’s announcement in July 2017 that it will no longer update or distribute Flash Player as of the end of 2020. Flash is known to be a favorite target for cyberattacks, particularly for exploit kits, zero-day attacks and phishing schemes.

The end-of-life announcement caused browsers to turn off Flash Player default support: Mozilla also announced it will kill default support for Adobe Flash in Firefox 69 (to be released Sept. 9). Microsoft for its part said it will disable Flash by default in Microsoft Edge and Internet Explorer in mid-to-late 2019, and would fully remove Flash from all Windows versions in 2020.

Google’s Chrome 76 has also addressed a recently discovered way that websites can detect if users are utilizing its “Incognito Mode,” a feature that is supposed to make browsing history, sessions and cookies private from others.

However, it was disclosed in June that the mode has been detectable by websites “for years” due to a FileSystem API implementation, according to Google Chrome developer Paul Irish. He said via Twitter that this meant that websites with paywalls could detect if a user was using Incognito Mode to bypass the paywall. In response, Google implemented the FileSystem API in a different way in Chrome 76, remediating the issue.

Chrome Incognito mode has been detectable for years, due to the FileSystem API implementation. As of Chrome 76, this is fixed.
Apologies to the “detect private mode” scripts out there. 💐

— Paul Irish (@paul_irish) June 11, 2019

In addition, Google’s latest Chrome version implements 43 new security fixes.

The most serious of the vulnerabilities is a high-severity use-after-free vulnerability (CVE-2019-5850) in the offline page-fetcher feature of the browser. Details about CVE-2019-5850, including its impact, are scant; but the flaw was reported by external researcher Brendon Tiszka as part of Google’s bug-bounty program.

Other high-severity vulnerabilities in the browser include a use-after-free flaw in PDFium (CVE-2019-5860); a memory corruption glitch in the “regexp length check” tool of the browser (CVE-2019-5853); and a use-after-poison in offline audio context (CVE-2019-5851).

“The Chrome team is delighted to announce the promotion of Chrome 76 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks,” according to Google’s Monday update page. “Chrome 76.0.3809.87 contains a number of fixes and improvements — a list of changes is available in the log.”