There's potentially a multi-day window of opportunity for Chrome to get hacked, because the malware authors can release new exploits before everybody gets around to restarting their Chrome to pick up the patched version.
So malware authors learn about the new Flash security bug thanks to Google's aggressive patching, and then have perhaps days to exploit it before people get around to restarting Chrome and before Adobe gets around to pushing out a new Flash update.
So Google is aggressive about releasing critical patches, but Chrome is lazy about restarting to receive critical patches.
Not sure what the best way to handle that would be. I would certainly like to receive the patch ASAP. For critical updates Chrome should alert the user with a dialog like "it's critical that Chrome restarts now to keep you protected". For people like me who leave their Chrome running for days at a time, that feature could make all the difference. I might even prefer an option to automatically restart my Chrome to get critical updates.
How is that any different to Adobe releasing a patch? Chrome updates a darn site more often than Adobe products do. So surely this is a problem regardless who releases?
Aren't Adobe's patches pushed to everybody and installed immediately upon reception? Without waiting for the user to manually accept or restart, I mean. I don't know for sure.
I think it's safe to say that Flash is buggy as hell, and we would all benefit from the immediate installation of critical patches. I don't think Chrome is doing this yet.
No, they aren't, that's my point. Neither Chrome nor Flash can expect patch pickup in the order of days - in fact, Flash updates (on Windows and OSX at least) require user intervention, whereas Chrome will do it at browser restart.
One of these is much more likely to occur than the other.
In any case, Chrome's update mechanism promises to get more users patched, quicker, than Flash. Waiting for Flash is nonsensical.
I don't think "nonsensical" is the word you want to use here. The majority of the world's susceptible Flash users are not running Chrome. You can reasonably assert that it's not Google's problem that their patch discloses the flaw without providing those people with a usable recourse from it, but it's harder to assert that it's not a problem at all.
My point is when there's a critical Flash update, Chrome doesn't notify me ASAP. So my Chrome might be open for days with a vulnerable Flash without me knowing that it's time to restart. This is why I check About Chrome almost daily (kind of an annoying obsession).
By comparison, on Windows and OSX when there's a Flash update, the user will be notified when the update arrives.
So Chrome delivers the Flash patch really fast, but then doesn't notify users that they need to get it.
And Adobe and Apple deliver the Flash patch slowly, but the user is notified.
Neither of these situations is ideal. What I want is fast arrival of the patch, plus notification. I guess I will look for a Chrome bug on this.
There's potentially a multi-day window of opportunity for Chrome to get hacked, because the malware authors can release new exploits before everybody gets around to restarting their Chrome to pick up the patched version.
So malware authors learn about the new Flash security bug thanks to Google's aggressive patching, and then have perhaps days to exploit it before people get around to restarting Chrome and before Adobe gets around to pushing out a new Flash update.
So Google is aggressive about releasing critical patches, but Chrome is lazy about restarting to receive critical patches.
Not sure what the best way to handle that would be. I would certainly like to receive the patch ASAP. For critical updates Chrome should alert the user with a dialog like "it's critical that Chrome restarts now to keep you protected". For people like me who leave their Chrome running for days at a time, that feature could make all the difference. I might even prefer an option to automatically restart my Chrome to get critical updates.