Last month, Google patched a critical Flash-based vulnerability which could allow hackers to circumvent Chrome's often trumpeted sandbox security feature. The update capped the maximum number of Flash JIT (just-in-time) pages to a level that which would exclude foreseeable exploits. After the update rolled out on February 23 though, some Adobe Flash applications began inexplicably crashing with "0xABAD1DEA". Yep, that's "a bad idea" spelled with hexadecimal values.
Thanks to Justin Schuh, a Google software engineer, we know that he was responsible for adding the 0xABAD1DEA bread crumb, a humorous error code intended to mock would-be hackers for exploiting the newly patched Flash vulnerability. The message may have been intended for a particular group of security researchers though, but more on that later.
What makes this more interesting than just another "patch gone wrong" story though, is the timing, history and intent of the update. With Pwnium and Pwn2Own just around the corner -- contests which award prizes to resourceful hackers who defeat security measures in software like Chrome -- the timing was indeed right.
Last May, a French security firm named Vupen found a way to beat Chrome's sandbox. After some mild (and possibly deserved) video gloating, Google dismissed the technique as a mere technicality since the exploit targeted Chrome's integrated Flash module and not the browser itself. Vupen believed Google's counterargument was irrelevant however, because Flash is bundled with the default installation of Chrome. Essentially, to end users, compromising Chrome through Flash is no different than doing it directly.
Fast forward to just last week and Chrome made headlines once again. As it turns out, two separate hacking teams finally defeated Chrome's revered sandbox at both Pwnium and Pwn2Own. It's thought that the Pwn2Own hackers used a Flash-based vulnerability and interestingly enough, the Pwn2Own contestants were none other than Vupen's own exploit team -- possibly using the same flash exploit demonstrated last year.
The update Google released a couple weeks ago was intended to address a Flash-based vulnerability however, so what happened?
Although the method used at Pwnium was revealed and patched by Google the following day, the exploit used by Vupen at Pwn2Own remains at large and mysterious. According to ZDNet, Vupen actually sells these types of hacks exclusively to government bidders.
Regardless of how Vupen did it, they managed to bypass Google's clever trap. Unfortunately, that very same trap inadvertently crashed Chrome for some legitimate users.