The long, slow march of Adobe’s Flash technology off the web has reached another milestone with the debut of Google’s Chrome 55 web browser.
Over the last few years, Google has been slowly enacting elements of its plans to deprecate support for Flash in Chrome, in favor of HTML5 based media. In Chrome 42, which debuted in April 2015, Google made Flash content ‘click-to-play,’ requiring users to click a button before a flash file activates and disabling auto-play of flash content.
Now with Chrome 55, Google is making HTML5 the default for dynamic comment, instead of Flash. There is a major caveat though: not all sites have media available as HTML5 at this point. As such, Chrome 55 still supports flash and users can run it on some sites that provide flash, rather than HTML5, media content. Google Chrome users can configure which sites they want to allow Flash to run on with a new exceptions list in Chrome 55.
While Google is largely deprecating Flash support, Chrome still directly integrates Flash into the browser. Among the new updates in Chrome 55 is the latest Adobe Flash update which patches nine different security vulnerabilities.
In addition to the Adobe Flash update, Google Chrome 55 includes 36 security updates that were reported to Google by third party security researchers. Google has a bug bounty program that reward researcher for reporting security issues. Google first began to pay security researchers for responsibly disclosing flaws in Chrome in 2010 with the Chrome 220.127.116.11 stable release. In 2010, Google’s top payout was only $1,337. Since then Google has paid out millions in awards, and has also increased the amounts it pays researchers.
For the Chrome 55 update, Google is paying security researchers $64,000 in bug bounty rewards. The top award amount for Chrome 55 is $7,500, which Google is paying to three different researchers for five bugs. Security researcher Mariusz Mlynski is credited with reporting three different Universal CrossSite Scripting (XSS) flaws (CVE-2016-5208, CVE-2016-5207 and CVE-2016-5204), for which he is being awarded $7,500 per flaw, for the the tidy sum of $22,500.
Security researcher Rob Wu is also being awarded a $7,500 for a same origin bypass vulnerability in the PDFium library, identified as CVE-2016-5206. An anonymous researcher that discovered the CVE-2016-5205 Universal XSS issue rounds out the top award list for Chrome 55, also earning a $7,500 bounty.
Sean Michael Kerner is a senior editor at Datamation and InternetNews.com. Follow him on Twitter @TechJournalist