This site may earn affiliate commissions from the links on this page. Terms of use

Google had an impressive run going with Chrome: for four years running, hackers at the annual Pwn2Own contest in Vancouver failed to hack into the browser. On the other hand, Internet Explorer, Firefox, and Safari have all been hacked, sometimes repeatedly. That ended this year.

While all the other browsers were taken down as usual, there was something different about this year. Chrome was taken down twice at the event. The apparent cause is one we are all to familiar with, though: vulnerabilities within Flash, which is built into the browser itself.

Participants in the contest previously had been foiled by Chrome’s coding structure. Google’s browser uses a technique called “sandboxing”, where web content is executed within a contained area separate from operating system processes. This in turn makes it much more difficult for malicious code to gain control of the infected machine.

While Flash does run within Chrome’s sandbox, like other plugins, special features such as webcam and microphone access require Google to create some loopholes to give Flash the system access it needs. This opens up Chrome to the same attacks that have felled every other major browser, and that’s how Chrome’s unhackable streak ended.

Chaouki Bekrar and his team from Vupen Security were the first to break in to Chrome, about one hour after the contest started. He wouldn’t discuss specifics, only offering that a “default” component left them in. And what’s one of those default components? Flash.

Google also sponsored a contest dubbed “Pwnium” inviting hackers to break into Chrome, and the browser was taken down again, this time by Sergey Glaznov. Within hours, Google was issuing a fix for the hole he found which allowed the execution of arbitrary code. It is said to fix issues with “UXSS and bad history navigation”: it does not appear this particular flaw was exploited through Flash.

In the simplest terms, Flash is an idea past its prime, now supplanted by native functionality built into HTML5. There’s no better argument for the death of Flash more than the security issues it has caused (and presented) over the years. Now we have evidence that even the securest, most modern strategies in development are still being felled by this platform.

It’s time to put it to pasture, and it is just another reason to hate Flash — or heck, uninstall it altogether.

Updated: There is some discussion, including on our sister site Geek.com, that this could have been through a vulnerability in SQLite. We have yet to confirm the exact attack vector with Bekrar or Vupen Security.