While the Google engineers seemed to acknowledge that a bug in Flash was involved in Vupen's exploit, they also defended the sandbox technology -- meant to isolate Flash from the rest of the computer -- even as it apparently failed to prevent an attack.
"The Flash sandbox blog post went to pains to call it an initial step," said Evans. "It protects some stuff, more to come. Flash sandbox [does not equal] Chrome sandbox."
The blog Evans referred to was published in December 2010, where Schuh and another Google developer, Carlos Pizano said, "While we've laid a tremendous amount of groundwork in this initial sandbox, there's still more work to be done."
Chrome's Flash sandbox is currently available only in the Windows version of the browser; Google has promised to implement it in the Mac and Linux editions, but has not yet done so.
While Bekrar later hinted that Vupen's exploit did leverage a Flash vulnerability, he said the attack code also took advantage of at least one other bug. "[Chrome's] built-in plug-ins such as Flash are launched inside the sandbox which was created by Google, so finding and exploiting a Flash or a WebKit vulnerability will fall inside the sandboxes and will not circumvent it," he wrote. "A sandbox bypass exploit is still required."
Chrome has a reputation as a secure browser, in large part because of its sandbox technology. Chrome is the only browser to have escaped unscathed at the last three Pwn2Own hacking contests, the annual challenge hosted by the CanSecWest conference in Vancouver, British Columbia, and sponsored by HP TippingPoint's bug bounty program.
In March 2011, no one took on Chrome at Pwn2Own, even though Google had offered a $20,000 prize to the first researcher who hacked the browser and its sandbox.
Sign up for CIO Asia eNewsletters.