Google silently rolled out an update to Chrome which featured an unusual change, apparently one worthy of an announcement on the Chrome Blog: improved Adobe Flash plug-in sandboxing. The company claims its new method of fortifying Flash makes Adobe’s plug-in every bit as secure as Chrome’s native sandboxing techniques.
To harden Flash against would-be Chrome hackers, Google says it’s been working closely with Adobe to create a custom solution. The fruit of this partnership has yielded a Flash plug-in which — if attacked — will relegate a hacker’s exploits to a single Chrome process. Unless hackers discover a method to escape Google’s improved Chrome-Flash sandbox, the security measure will insulate the host operating system from virtually any threat posed by Flash.
Of course, if there is a way to escape Chrome’s newest Flash sandbox, hackers will find it eventually. Google actually counts on this though, utilizing its Pwnium contest as a way to transmogrify this inevitable truth into better Chrome security. Last year, controversial security firm Vupen was thought to have a working Flash sandbox exploit for Chrome.
Currently, Google awards Chrome hackers $60,000 for disclosing their zero-day recipes. Partial and conciliatory hacks net those same security nerds a cool $40,000 or $20,000, respectively. Although exposing a Flash vulnerability would only qualify for the $20,000 reward, escaping the sandbox which attempts to isolate the plug-in and utilizing that vulnerability to attack the host operating system would most certainly qualify for the sixty grand.
The improved Flash sandbox has made its way to all platforms, including Windows, Mac OS, Linux and Chrome OS.